It was just a couple of months ago that trend-watcher The Next Web announced that Google Chrome had overtaken Microsoft’s Internet Explorer as the Web’s most used browser, a position that IE had held since, well, way back in the last century.
So it’s unfortunate that just last week it was revealed (yet again) that Chrome is not very protective of stored passwords.
According to a story in the UK’s Telegraph newspaper, a security flaw in Google’s Chrome browser allows anyone with access to a user’s computer to see all of their stored passwords directly from the settings panel.
Software developer Elliott Kember discovered that simply typing “chrome://settings/passwords” into the URL/search bar brings up a list of all stored passwords. While the passwords come up obscured (like: ftp://idmjournal.com dkearns ********), clicking the line brings up a “show” button, and clicking that button reveals the password! Even more shocking, Kember found there’s no way to require a “master password” that can be invoked before seeing the individual ones. Anyone with access to your computer can bring up Chrome and see all of your passwords – and the associated usernames.
Even worse, Kember found that when migrating to Chrome (he was moving from Safari, but moving from IE or Firefox works the same way) you have to import all of the saved passwords and they will all be available no matter if you want them to be or not.
Note that Ping Identity’s John Fontana just wrote about this problem and stated that it was first brought to light in 2008!
In a world where we seem to spend an inordinate amount of time talking about strong authentication, flaws like this show that no matter how “strong” we think our passwords and passphrases are they’re completely vulnerable to a flawed system. A password like “=43-9 ut0193q$#qrgvDFG1235Avpr” is no more likely to be safe than “password1”.
The first thing you’ll want to do, of course, is remove all of your passwords from Chrome. Make a note of them, and then delete them.
Next, you’ll need a better “password vault”. As I noted last fall, for many years I used a browser add-in called “Sxipper,” developed by Dick Hardt who was a co-founder of OpenID. Sxipper was not only a tool to remember usernames and passwords (as well as all the details needed to fill out forms) but was also a password generator, creating randomized groupings of letters, numerals and other characters that were well past the ability of most users to remember. But, of course, they didn’t need to remember them – Sxipper did it for them. Sxipper could save a file containing all of your data to local storage (in case there was ever a problem) but, like Chrome, this wasn’t encrypted, nor was authentication required to access Sxipper once your computer was up and running (i.e., authenticate to the OS and you could run Sxipper). Sxipper was officially killed early this year.
Even before that, though, I’d switched to using Chipdrive MyKey from SCM (now Identiv). Besides encrypting the archive file, it uses a USB stick which makes the service portable among all of your USB-enabled devices. It doesn’t, unfortunately, create passwords so I do need to be disciplined about that but it does protect the encrypted password file with a PIN. While it’s true that someone using my computer could use MyKey to authenticate, they wouldn’t be able to obtain a list of my passwords. Of course, they could login to a site and change the password, so there are potential problems.
So what can you do?
It’s simple, stop using passwords to authenticate.
Wait, you say, that isn’t my choice, is it? Well, it could be.
One of the most popular password vaults is LastPass, which encrypts your passwords and requires a master password to change them. It also syncs passwords cross all of your devices. But the real kicker – although it’s a pay-to-play premium option – is the ability to add two factor authentication (2FA) to any site you visit.
LastPass has teamed up with Yubico to enable 2FA using the Yubikey hardware token. In practice, you use the Yubikey to authenticate to LastPass which then authenticates you with the correct username/password combination. Someone gaining control of your computer would still be locked out of password-protected sites if they didn’t have your Yubikey. A single user Yubikey plus a one year subscription to LastPass premium will set you back a minimum of $33. There are bundles for enterprise customers, but no great savings.
While you still need a password to login, I see this as merely an indication of the account you wish to access (the username+password combination) with the token providing the actual authentication mechanism. That means you really don’t have to go for long, involved passwords – “password1” would be as secure as a 2000 character bit of nonsense.
Slowly, major web properties are moving to two factor authentication. Google did this some time ago, Twitter just recently announced it. But most of these rely on SMS messages as the second factor and, as last year’s Eurograbber attack was shown to have stolen over 36 million Euros through a sophisticated man-in-the-middle attack against SMS systems, this might not be your best choice. As security vendor Checkpoint described the exploit:
- Target goes to malware website, probably by clicking a link in a phishing email
- Target later goes to bank web site and malware injects instructions into the session that prompts the customer to enter their mobile phone number
- Target is instructed (seemingly by bank) to download “security update” to phone which is actually a variant of the “Zeus in the mobile” (ZITMO) Trojan.
- The Trojan then intercepts the bank’s SMS containing the all-important “transaction authorization number” (TAN), the number the target has to enter in the bank’s web site authentication screen. The Eurograbber Trojan on the customer’s mobile device intercepts the SMS and uses the TAN to complete its own transaction to silently transfer money out of the bank customer’s account.
This all happens quietly in the background with the target only becoming aware when they notice their depleted bank account.
The Google and Twitter 2FA offerings are free, while the Yubico+LasstPass will set you back $33 the first year, and approx. $12 each subsequent year. On the other hand, I think in this case you really do get what you pay for.
Do note that there are some open source possibilities which have this functionality to a greater or lesser extent. KeePass (a password manager) can be used with the add-on OtpKeyProv which provides one time password access to the KeyPass database. A modification of KeePass, called Web KeyPass, can be used with WiKID’s 2FA system – directions for this are here. Both of these solutions require a bit of DIY, but it could be educational for you to try to do that.