9

I understand that Chrome uses the OS's password storage mechanism to protect passwords on your computer. 1 I also understand that these passwords can be (in my case, are) protected with a passphrase of my choosing, for syncing them in the cloud.

Are my passwords safe when I'm logged out of my local Linux / Windows account?

There exist a means on both Linux2 and Windows3 for clearing / changing user account passwords. Can an attacker simply reset my local account password, log into it, open Chrome, and be able to use my passwords? Or does the OS password protection mechanism prevent this?

There are several sources that indicate that Keyring / Windows DPAPI derive the password store decryption key from your account password. 4

Is the Google Chrome "session" protected in this same way?

I'm just hesitant to "trust" that everything is safe without understanding what's going on under the hood.

It would feel good if Chrome would ask me for a master password, but they don't want to implement that feature. 5 I'm okay with that, as long as I know my data is protected by my OS account login.

Community
  • 1
Jonathon Reinhart
  • 802
  • 7
  • 13

1 Answers1

8

In cases where a password store key is derived from the account password, it is impossible to get access by force-resetting the account password. When that's happening, the password store is encrypted with a key derived from the password. Decrypting it requires the password; the password isn't just used to tell the OS you have permission to view it (like normal file permissions), it's the only way to decrypt the store, because the decryption key isn't stored anywhere on disk (it's re-derived whenever you enter your password). That's the big difference between encryption and access control: access control can generally be bypassed because it relies on the OS letting you access something or not letting you do it, but encryption cannot because the only way to get the data is by something found only in the user's head.

The OS doesn't know your password: it stores a hash of the password, but it doesn't store the password and doesn't store the key. Someone who gains access to your account in any way except entering your password can't decrypt the password store. That includes resetting the password. If you change it normally, the OS can decrypt the store with your old one (which you either supplied to log in or supplied to change the password) and save it re-encrypted with the new one. If you change it with password reset tools, what the OS does is overwrite the password hash, but it can't decrypt the store to re-encrypt it. It sometimes keeps the old one around in case the user knew their password but had to reset it for some reason (in which case they can enter it in when they next log in to their account to change the encryption key), but the data remains inaccessible until the original password is entered to decrypt it.

cpast
  • 7,223
  • 1
  • 29
  • 35
  • Thank you for the information. You've confirmed my understand of how the key derivation worked for the Keyring, etc. But what I really want to make sure I understand is that Chrome is completely relying on the OS services for password protection. I mean, how does Sync fit into this picture? To sync from a Linux box, does it pull all the passwords from the (unlocked) Keyring, encrypt them with **what**, and push them up to the cloud? When did I unlock that key? – Jonathon Reinhart Jan 03 '15 at 04:18
  • Chrome appears to protect *that* with Google account credentials, which are stored in the Windows password store. – cpast Jan 03 '15 at 04:28
  • Okay, great. It sounds like a very secure solution then. – Jonathon Reinhart Jan 03 '15 at 06:46