Re: Issue 1397 in chromium: Master password is missing

[chro...@googlecode.com]

Comment #150 on issue 1397 by speijnik: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Having given Chrome a try now I can only second the request for some sort
of master
password feature. This is the one thing I am really missing in Chrome right
now.

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings

[chro...@googlecode.com]

Comment #151 on issue 1397 by tiagunov: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Master password is important security feature!!!!!!!!!!!!!!!!!!!
Please? add it ASAP!!!!!

[chro...@googlecode.com]

Comment #156 on issue 1397 by opodaniel: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

What Chrome Developers didn't do, some other developers did.You all can
find at least
two extension witch address this HUGE gape in Chrome : Roboform -
http://www.roboformchrome.com/topic/roboform-for-chrome-alpha-was-releasedand
LastPass - https://lastpass.com/misc_download.php?noscroll=1#windows

[chro...@googlecode.com]

Comment #157 on issue 1397 by dkarter: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Those two solutions (LastPass & Roboform) require you to store your
passwords online. A
move that will not be made by people with common sense. Those companies
must comply
with all authorities and hand them the information per request.
Don't risk yourselves. This is not the solution.

Chrome developers, what say you? who can we talk to about this issue that
would
actually listen?

[chro...@googlecode.com]

Comment #158 on issue 1397 by skyl...@chromium.org: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Issue 34019 has been merged into this issue.

[chro...@googlecode.com]

Comment #159 on issue 1397 by skyl...@chromium.org: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Issue 34213 has been merged into this issue.

[chro...@googlecode.com]

Comment #160 on issue 1397 by gabrielperren: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

I don't see why there should be so much fuss about this issue. Just
implement the damn master password and
those who want it can use it and those who don't care won't use it.

It can't be that simple to view someone's stored passwords, just clicking a
button! And it's at plain sight
on Chrome's options!

We're not asking for much here (at least not me) Just a simple master
password to make it a bit more
difficult for person X using my PC to see all my stored passwords. Of
course there are ways to circumvent
this, just as there are ways to circumvent a lock on someone's door. That
doesn't mean we shouldn't use
locks!!

I just can't believe this issue hasn't been addressed yet.

[chro...@googlecode.com]

Comment #165 on issue 1397 by grinapo: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Wading through the comments again shows an interesting process here.
Around comment 81 the requested design spec provided. At comment 93 the
dveloper
leaves, and enters at comment 104 the guy who habitually close master
password bugs,
and reasons that _windows_ (I don't know what that could be, the only
windows I have
provide light through the walls) have password whatever and it have some
keys which
do something and we're lazy to push that so the spec interests nobody,
doesn't
require any consideration, explanation of ignoring or so, and the bug is
closed. He
reasons that MP isn't secure because it only stays against physical access,
so and
so.

I try to be polite.

1) It does not require physical access. Passwords are stored on the
filesystem,
unencrypted. It requires any access, remote, local, transcendetal,
whatever. You
retrieve the file, read the password.

2) The magic keypresses (session and root passwords for the ignorant ones)
doesn't
provide any protection against physical access, and educated people can
enter the
filesystem the same amount of time a live CD boots on a machine, period.
Then get the
file, read it.

3) Installing a keylogger requires efforts several magnitudes higher than
copying a
file, and nowadays most people possess several ways of preventive measures
to detect
or avoid these.

4) Master password isn't recoverable by peekeng at the filesystem.

5) Master password is crackable by brute force methods, yes. Stronger the
password
and more careful the implementation make the required time longer and the
required
resources larger. The whole point of security is to make it non feasible to
break a
security feature as much as possible. Except proper one time pads there
isn't really
such thing as Ultimately Secure System. I believe that a strong master
password means
a high barrier to get the stored credentials, which is _much_ better than
the current
state of affairs (basically storing plaintext everything).

I (and I'm sure most of us here around) very much would like to have the
discussion
about this feature with knowledgeable persons except pkasting, who is I'm
sure a
friendly and positively thinking person but seems to possess limited and
somewhat
personal attitude towards this issue. If the design spec contains problems,
discuss
them, fix them. If there is a (said) knowledgeable team who *really*
examined the
problem and come up with real *reasons against implementing it* we much
probably
would be happier to hear these instead of summaries basically
containing "no, just
because I think it's not good". (Such denials ought to contain at least a
pros and
cons which would show that pros were considered, and the cons still
outweigh them.)

And as a sidenote issue 812 explicitly make people talking about master
password
(like) feature to shut up, so maybe it isn't "duplicate" after all. (But I
acknowledge the possible limitations of this issue tracker in these
cases. :-))

[chro...@googlecode.com]

Comment #166 on issue 1397 by stuart...@chromium.org: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Issue 37450 has been merged into this issue.

[chro...@googlecode.com]

Comment #167 on issue 1397 by steven.reiz: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Agreed with grinapo in comment 165. It seems this request is taken very
seriously by
many security-conscious people who would really like to use Chrome but
won't because
of this single issue (me included), and on the other hand is downplayed
with a lot of
effort by people at Chromium. It's frustrating for both 'sides', in
particular
because the current implementation already intends to have the user's login
credentials act as a kind of master password, but doesn't quite reach the
intended
goal. And in security 'almost' certainly isn't good enough.

Please note:
- On Linux the current encryption routines do nothing, so passwords are
stored in
plain text
- Redirecting this issue to issue 812 is really off-track because that
issue is
apparently about on-line password sync - something security-conscious
people may not want
- The master password is pretty trivial to implement and would not in any
way be
confusing to people who do not enable it

Perhaps it would be good to escalate this a few levels instead of -
apparently - a
single developer deciding this is a stupid feature to ask for?

[chro...@googlecode.com]

Comment #169 on issue 1397 by MihaiBulic: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Agreed this is very necessary. I will suspend my chrome usage until this
is fixed.

[chro...@googlecode.com]

Comment #170 on issue 1397 by yohm31: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

my passwords have been stolen because of the lack of this feature! it's a
shame. From
now I do not let Chrome remember my passwords 'cos it's TOTALLY
UNSAFE!!! :((((

[chro...@googlecode.com]

Comment #171 on issue 1397 by juha.heinanen: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

isn't chrome/chromium open source? if it is, why cry google to implement
master password
feature? perhaps there already exists a fork that includes it.

[chro...@googlecode.com]

Comment #172 on issue 1397 by jca.viborg: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

In the latest Linux version (.deb) passwords are separated from the
file "Web Data"
and stored in a new file "Login Data", unencrypted.

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings

--
Automated mail from issue updates at http://crbug.com/
Subscription options: http://groups.google.com/a/chromium.org/group/chromium-bugs

[chro...@googlecode.com]

Comment #173 on issue 1397 by iaroslav.akimov: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Hum 2010 and Chromium still does not have a MP? Are devs for real?

[chro...@googlecode.com]

Comment #176 on issue 1397 by npmnpm: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

+1 wont use crome until this is ready

[chro...@googlecode.com]

Comment #177 on issue 1397 by evan.olckers: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

+1 i wont use chrome until this is implemented!!

[chro...@googlecode.com]

Comment #178 on issue 1397 by kanishka.liyanage: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

What is Google's take on this? Are they ever going to implement this or
they are not
listening to their users? If Google implement this, it would be beneficial
for people
those who are crying out loud here. If they don't implement it, these users
will stick
with Firefox or whatever browser they are using forever.

[chro...@googlecode.com]

Comment #179 on issue 1397 by paulojorgemcosta: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

+1 i wont use chrome until this is implemented!!

[chro...@googlecode.com]

Comment #180 on issue 1397 by pursanovd: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

That would be nice feature..Or we should use some 3rd party storages like
lastpass...

[chro...@googlecode.com]

Comment #181 on issue 1397 by pedrib: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

This is definitely a very important security feature... and I don't
understand why in
Windows you encrypt the passwords, but not on Linux.

[chro...@googlecode.com]

Comment #183 on issue 1397 by faramir.sam: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Yea, I can't use Chrome only because of this lack.

I agree with grinapo in comment 165, even with a Master Password it can me
retrieved
by many ways. But I'm trying to protect myself from persons who might want
my
passwords for some reasons, but are not good at all with computers. So
using a Linux
LiveCD is not an option for them. If they want to see my passwords, they
might try to
go in the options, but they're not gonna crack my computer to get them.

So such a function (master password) is more than enough for users like me.

[chro...@googlecode.com]

Comment #184 on issue 1397 by penguin.brian.may: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Reading through all of this, there seems to be some confusion. I would
consider the
greatest threat of non-encrypted passwords is the possibility that somebody
could steal
my computer (especially a laptop), while I am logged out, boot up a live
Linux CD and
copy my passwords and immediately be able to access the websites under my
userid.

Apparently Windows encrypts passwords (comment 149), why can't the Linux
version
(comments 121 and 153) do something similar?

Personally I am not concerned about the case case where somebody has access
to my
computer when I am logged it, I lock my screen and only allow trusted
people access to
my account.

It is the case where somebody has access to my computer without my
permission that
concerns me. Yes, somebody could also steal my computer, install a key
logger, and
somehow return it without me knowing, but this seems unlikely. This isn't
like 24 or
Mission Impossible. Or xkcd for that matter, <http://xkcd.com/416/>.

Brian May

[chro...@googlecode.com]

Comment #185 on issue 1397 by juri.kuehn: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Duplicate of 812??? Issue 812 is about remote profiles, stored at google.
That means, if you want a password, you need to store all your user data at
google?

It's not the same issue!

[chro...@googlecode.com]

Comment #186 on issue 1397 by gregory.j.wilkins: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

I find it very scary that nobody has been able to do an extension for
this. Surely that says something about the extensibility (or lack there
of) of chromium.

[chro...@googlecode.com]

Comment #187 on issue 1397 by gregory.j.wilkins: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

As google appear disinclined to fix this security vulnerability, I have
raised a CERT vulnerability report about it. It will be interesting to see
what the experts think of the ability to reveal all passwords with a simple
command like:

echo 'SELECT username_value, password_value FROM logins;' | sqlite3
~/.config/chromium/Default/Web\ Data | grep -v '^|$'

[chro...@googlecode.com]

Comment #188 on issue 1397 by fabien.coelho: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Indeed, putting some external pressure on chrome devs with an official CVE
number might help where reason failed...

[chro...@googlecode.com]

Comment #189 on issue 1397 by stuart...@chromium.org: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Issue 46866 has been merged into this issue.

[chro...@googlecode.com]

Comment #191 on issue 1397 by waweru: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Does anyone know if this will be implimented?

[chro...@googlecode.com]

Comment #192 on issue 1397 by brianstockdale: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Seems ridiculous not to have a master password - comeon google!

[chro...@googlecode.com]

Comment #193 on issue 1397 by bachi.insign: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

It really appears to be such a simple thing to develop.

Simply can't use Chrome as default while we don't have proper password
protection.

Come on, where's the problem? Is somebody actively ignoring us Chrome users?

[chro...@googlecode.com]

Comment #194 on issue 1397 by nick.denville: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Absolutely - I'm fed up with Firefox and would absolutely love to use
Chrome, but the lack of a master password is a show stopper.

Browsing the comments, there's a few idealistic comments along the lines
of "it's only an illusion of security" and "a determined hacker could still
get past a master password", fair comments - but this is still preventing
uptake of the Chrome browser for multitudes of people. Why waste
considerable money on slick advertising campaigns comparing Chrome to
potato guns and the like, when implementing this (seemingly) simple feature
would bring those multitides into the Chrome fold. You could even display a
disclaimer when the feature is enabled to absolve any responsibility for
determined hacks.

One other negative I saw cited was that a casual user using someone else's
machine would be pestered by the 'enter master password' dialog multiple
times - for that an easy fix is just to ask, on the second or third
cancellation of the dialog, 'do you want Chrome to stop asking for the
master password for the remainder of this session?'.

[chro...@googlecode.com]

Comment #195 on issue 1397 by stuart...@chromium.org: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Issue 50393 has been merged into this issue.

[chro...@googlecode.com]

Comment #196 on issue 1397 by pursanovd: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Strange! The feature is really important..Add it please, because i don't
want to use the tools like lastpass to store my passwords there

[chro...@googlecode.com]

Comment #197 on issue 1397 by Deeehem: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

I'm absolutely livid that such a feature hasn't been added already. I would
actually appreciate Chrome once this much-needed feature has been
implemented.

D.

[chro...@googlecode.com]

Comment #198 on issue 1397 by jsc...@chromium.org: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Issue 53696 has been merged into this issue.

[chro...@googlecode.com]

Comment #199 on issue 1397 by laszlo.kertesz: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

This is a 2 years old bug report. And no master password yet. Im giving up
on Chrome until this is fixed...

[chro...@googlecode.com]

Comment #200 on issue 1397 by waweru: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

I didn't realize it when my issue got merged into this one, but this issue
has been closed since October 2009.

I think getting your issue merged into this one is a round about way of
squashing your Issue ID.

[chro...@googlecode.com]

Comment #201 on issue 1397 by kijinbear: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

This still hasn't been fixed!?

Okay, I get the argument. Master passwords aren't perfect. Windows crypto
works fine. You shouldn't let other people use your computer while you're
logged in. After all, every modern OS has a quick "switch user" or "guest"
facility. Only let people borrow your computer if you trust them. Okay,
okay, I understand.

It still annoys me, as well as the trusted person who is borrowing my
computer, when the other person tries to log into some website and Chrome
automatically fills the login form with my username and password. Not
annoying in the same way that Firefox is annoying (it displays a dammed
modal dialog every time!) but still very annoying.

[chro...@googlecode.com]

Comment #203 on issue 1397 by RolandCYong: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Yea i dont see why there isn't a master password...jsut doesnt make sense,
its like keeping your money stored in a un-breakable safe, but with the
keys to it right in front of the door...

[chro...@googlecode.com]

Comment #204 on issue 1397 by inf...@chromium.org: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Issue 57596 has been merged into this issue.

[chro...@googlecode.com]

Comment #205 on issue 1397 by wallofinsanity: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

"Hey guys lets ignore basic security and focus on beating those stupid
micro$$$oft hacks at making things look shiny!!!"

Seriously.

Fix this issue.

Unacceptable.

[chro...@googlecode.com]

Updates:
Cc: kr...@chromium.org rohi...@chromium.org

Comment #207 on issue 1397 by stuart...@chromium.org: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Issue 57570 has been merged into this issue.

[chro...@googlecode.com]

Comment #209 on issue 1397 by meznaric: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Of course one can always be careful. With this kind of reasoning, I do
really not need any encryption technology when I communicate to my bank
because they could always give me a piece of paper with a one time pad
encryption key that I can keep in my underpants and destroy every time I go
to sleep.

Seriously people, security technology is here so that having security is
not an inconvenience. I don't want to always worry about whether or not I
remembered to lock the screen when I am away from my office computer for 5
minutes.

At the end of the day, if they wanted to implement this, they would not
have merged it with a completely unrelated issue and closed it. This is not
gonna happen, so stick to Firefox. Then you can have security without being
inconvenienced.

[chro...@googlecode.com]

Comment #210 on issue 1397 by opodaniel: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Since there is no tool for us to see how many of us need this
master-password must-have implementation, I have created a blog with one
pool regarding explicitly this issue. Please vote pro or contra
implementing master password in Chrome.
http://securemybrowser.blogspot.com/

[chro...@googlecode.com]

Comment #211 on issue 1397 by stuart...@chromium.org: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Issue 59456 has been merged into this issue.

[chro...@googlecode.com]

Comment #212 on issue 1397 by aLifeBringer: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

We just need a master password when it is sophisticated enough to provide
remote theft protection. For other needs, just remember to lock your
computer with a strong password!

[chro...@googlecode.com]

Comment #213 on issue 1397 by lane.bryson: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

@#212 and others...

"You’ve laid out many scenarios in which this might be useful, but the most
common is that if your computer were to fall into the wrong hands, that
person would then have access to your saved passwords.

While we agree that this situation would be terrible, we believe that a
master password would not sufficiently protect you from danger. Someone
with physical access to your computer could install a keylogger to steal
your passwords or go to the sites where your passwords are stored and get
them from the automatically filled-in password fields. A master password
required to show saved passwords would not prevent these outcomes."

That is bad reasoning.

The mechanism you use to encrypt my password means only that a person (for
example, someone in my company's IT staff,) that can reset my password can
gain access to every password I have protected.

True, if someone has physical access to my computer, they can install a key
logger and sniff data. But I think the far greater risk is my laptop
falling into the wrong hands and staying their while they take time to do
forensic research and recover personal and private data -- not someone
sneaking onto my laptop (physical access or not) to sniff my keystrokes.

I would add that to exploit as you described with a keylogger does not
require physical access at all. If someone's system is compromised in this
way, then it is compromised regardless.

I would argue, then, that you should add a "non-keystroke" second factor of
authentication -- e.g., "select the correct one of several randomly placed
images", or "click a numeric PIN" -- things that are not sniffed as easily.

A strong encryption algorithm with a strong passphrase is inarguably the
best option available to us -- far better than a simple mechanism that any
puke who has access or the ability to change my account password will
provide.

[chro...@googlecode.com]

Comment #214 on issue 1397 by bart.deboer: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

+1

A master password may not protect against a keylogger attack specifically.
But it does protect against other forms of attack. The keylogger/rootkit
approach requires the attacker to leave (detectable) traces of his attempt.
His kit might need a connection to a server. Or he might need to come back
to retrieve whatever was logged. Furthermore: nosy girlfriends, friends or
family and other non-professional hackers with physical access usually
don't go as far as to install keyloggers and rootkits. Currently grandma
can just view and steal the password without leaving a single trace.

That's just too easy!

[chro...@googlecode.com]

Comment #216 on issue 1397 by phist...@chromium.org: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

In case this helps, it seems like you can configure the "Show passwords"
button from the registry.
For more information, see this page -
http://dev.chromium.org/administrators/policy-list-3#PasswordManagerAllowShowPasswords

[chro...@googlecode.com]

Comment #217 on issue 1397 by nick.denville: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

So can an unauthorized person just change this registery settings to see
all the passwords on someone elses machine? If so then no, it doesn't help.

[chro...@googlecode.com]

Comment #218 on issue 1397 by gerardc: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

@216
It's interesting, but this bug is as much for the average user who has
never heard of the registry but still saves password in Chrome, as it is
for us.

[chro...@googlecode.com]

Comment #219 on issue 1397 by juri.kuehn: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

@213 "But I think the far greater risk is my laptop falling into the wrong

hands and staying their while they take time to do forensic research and
recover personal and private data"

That would be my main reason for password encryption of passwords as well.
The thing is, right now, you don't even have to be a forensic expert, nor
you need any knowledge about trojans and keyloggers. You open chrome and
write down all the passwords. That is a no go for all mobile devices

[chro...@googlecode.com]

Comment #221 on issue 1397 by gregory.j.wilkins: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Can't this be made pluggable, so that if google doesn't care about casual
security, at least others can provide plug in modules that do?

[chro...@googlecode.com]

Comment #222 on issue 1397 by p...@chromium.org: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Issue 62159 has been merged into this issue.

[chro...@googlecode.com]

Comment #223 on issue 1397 by thomaswu07: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Agree with everyone. We need a master password!! i've just realised this
problem and probably will switch back to firefox if this is not resolved
soon

[chro...@googlecode.com]

Comment #224 on issue 1397 by temp01...@gmail.com: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Issue 68374 has been merged into this issue.

[chro...@googlecode.com]

Comment #225 on issue 1397 by stha...@gmail.com: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

The registry provided here
http://dev.chromium.org/administrators/policy-list-3#PasswordManagerAllowShowPasswords
does not exist on Chrome 8 on Windows 7 x64.

[chro...@googlecode.com]

Comment #226 on issue 1397 by SiteInqu...@gmail.com: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Over 2 years and Google does nothing about this glaring security issue. Can
this be solved with an extension?

[chro...@googlecode.com]

Comment #227 on issue 1397 by stuart...@chromium.org: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Issue 70547 has been merged into this issue.

[chro...@googlecode.com]

Comment #228 on issue 1397 by inf...@chromium.org: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Issue 72163 has been merged into this issue.

[chro...@googlecode.com]

Comment #229 on issue 1397 by r...@rosschadwick.co.uk: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Surely whether Chrome had a master password or not, a keylogger would still
collect passwords as they were typed.
However, if Chrome had encrypted passwords, typed them into websites with
two-channel auto-type obfuscation (à la KeePass) and required
authentication to unlock these passwords then it would be secure enough for
most users and anyone who considered this insecure could choose not to use
this.

[chro...@googlecode.com]

Comment #234 on issue 1397 by samfirag...@gmail.com: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

For linux systems that use gnome-keyring or the KDE equivalent you could
lock your keyring before leaving your PC. Unfortunately I don't know the
equivalent in Windows.

Had to run google chrome with --password-store=gnome to use my keyring.

To lock your gnome-keyring in Ubuntu at least you could either use seahorse
or run:

python -c "import gnomekeyring;gnomekeyring.lock_sync('login')"

Another thing to note is that gnome-keyring is locked by default when you
lock your screen. Passwords are then encrypted again.

This is enough for me to use chrome even if there is no master password.

[chro...@googlecode.com]

Comment #237 on issue 1397 by Kadiner....@gmail.com: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

An alternative is to use KeePass (Windows). Nice solution, but too complex
for many users.

[chro...@googlecode.com]

Comment #238 on issue 1397 by ZolP...@gmail.com: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Without this so basic feature Chrome gets a HUGE UNLIKE from me. Going back
to Firefox which has this function. I can't believe that Google is so
incompetent in this issue. 40 years ago men was on the Moon. I don't think
this is rocket science...

[chro...@googlecode.com]

Comment #239 on issue 1397 by nep...@chromium.org: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Issue 76478 has been merged into this issue.

[chro...@googlecode.com]

Comment #241 on issue 1397 by xatarisfanx: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

The "master password is an illusion of security" excuse is a total cop-out.
I don't use a master password to keep malicious hackers that have physical
access to my computer out of my stuff, I use it so that my friends and
family don't have instant access to all of my websites when I leave my
computer unlocked for them to use. I love Chrome, but a master password
really should be implemented. I'm sick of having to open Keeppass every
time that I need a password.

[chro...@googlecode.com]

Comment #242 on issue 1397 by Zigmund....@gmail.com: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

"master password is an illusion of security", yes but such a feature
like "Show password" is ABSOLUTELY awfull!!!

[chro...@googlecode.com]

Comment #243 on issue 1397 by rse...@chromium.org: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Issue 76940 has been merged into this issue.

[chro...@googlecode.com]

Comment #244 on issue 1397 by joc...@chromium.org: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Issue 75897 has been merged into this issue.

[chro...@googlecode.com]

Comment #246 on issue 1397 by sprog...@gmail.com: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Design doc = Firefox Master password!!!!! Duh. DO IT.

[chro...@googlecode.com]

Comment #247 on issue 1397 by opodan...@gmail.com: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

How can users wait from Chrome developing team to understand the problems
they are facing when they are so bad organized that they have several
threads for the same Issue.
This Master Password Issues is also discuses here (perhaps other threads
also.. don't have time to loose with such lack of support team and search
for more) http://code.google.com/p/chromium/issues/detail?id=53 with the
same "ignoring users" solution from the part of the developing team.
Google is wandering why Android phones and tablets didn't reached the level
of professionalism of Apple's products?
Dear Google please stop playing the act of being open source and open
minded and start being an open source and open minded company ( at least on
those places you say you are).

[chro...@googlecode.com]

Comment #248 on issue 1397 by opodan...@gmail.com: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

How can users wait from Chrome developing team to understand the problems
they are facing when they are so bad organized that they have several
threads for the same Issue.
This Master Password Issues is also discuses here (perhaps other threads
also.. don't have time to loose with such lack of support team and search
for more) http://code.google.com/p/chromium/issues/detail?id=53 with the
same "ignoring users" solution from the part of the developing team.

Google is wondering why Android phones and tablets didn't reached the level

[chro...@googlecode.com]

Comment #250 on issue 1397 by rahmanr...@gmail.com: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

"We understand that many of you want a master password for your saved
passwords in Google Chrome. You’ve laid out many scenarios in which this
might be useful, but the most common is that if your computer were to fall
into the wrong hands, that person would then have access to your saved
passwords.

While we agree that this situation would be terrible, we believe that a
master password would not sufficiently protect you from danger. Someone
with physical access to your computer could install a keylogger to steal
your passwords or go to the sites where your passwords are stored and get
them from the automatically filled-in password fields. A master password
required to show saved passwords would not prevent these outcomes.

Currently, the best method for protecting your saved passwords is to lock
your computer whenever you step away from it, even for a short period of
time. We encrypt your saved passwords on your hard disk. To access these
passwords, someone would either need to log in as you or circumvent the
encryption.

We know this is a long-standing issue, and we see where you're coming from.
Please know that your security is our highest priority, and our decision
not to implement the master password feature is based on our belief that it
creates a false sense of security instead of actually providing a strong
security benefit."
-Google. Its true. A citity wall can be as much protective as it can be a
death trap.

[chro...@googlecode.com]

Comment #251 on issue 1397 by wrcstone: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Ok then. Take this scenario: You use Google chrome at work. All your
passwords are nicely synced between work and home. When you leave your job,
you hand your laptop/computer back in... "oh, crap. I forgot to uninstall
chrome"!!! The next person to log in (admin or whoever) now has access to
all your passwords.

Scenario 2: You've got your laptop out for a party. You leave it unlocked
so others can select music. One person decides they want to check their
Facebook account: fire up chrome, now they're in YOUR Facebook account.

This has been requested by SOOOOOooooooo many people; listen to your users.

[chro...@googlecode.com]

Comment #253 on issue 1397 by Hashmi...@gmail.com: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Master Password feature is very important... many times this happens that
relatives or friends are visiting & wanna check a quick email... in the
meantime, one has to fetch some food Or stuff for guests... here u go, ur
passwords are a public property now& even before u can recall this flaw in
chrome. Google's concern for privacy of users becomes doubtful. Master
password feature is a MUST...

For keyloggers & hackers antivirus programs are there... & the usual reply
given here that they can still hack in is outright hilarious... Like ya, if
u take all necessary precautionary measures you will still die one day ...
oh come on google I like chrome, plz don't make me switch.

[chro...@googlecode.com]

Comment #254 on issue 1397 by cpuf...@gmail.com: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

More than half of the interested users of Chrome are asking for this
feature. Implement it at par with Firefox or IE. At home, most of us share
computers, many with a single login. Or parents sharing their user account
with children. This is the nature of Windows and it's casual usage for
browsing, similar to iPad browsing. Those of use would like to have Chrome
store passwords are appalled by Personal Stuff, and the SHOW option. Once
you hit Personal Stuff, and before SHOW, you should be prompted for master
password, similar path as Firefox. Or with IE, it stores them and not ever
viewable in clear text, simple encryption within flat db, and overwritten
if change in login. Simple. Done. Please change this Google.

[chro...@googlecode.com]

Comment #257 on issue 1397 by merle.ol...@gmail.com: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

The one I have been using with firefox is perfect, type in Master pwd once
per session to unlock. Locks down when I close browser, if I leave the
browser unattended and unlocked well that's my problem/fault.

It is unbelievable this feature is not added to Chrome. I have held off
making Chrome my browser of choice, recently deciding to convert
permanently then I find this obstacle.
Everything else I love but because of this one issue I am staying with
firefox, I am prepared to go without all the Chrome goodness to be able
master lock my passwords.

[chro...@googlecode.com]

Comment #258 on issue 1397 by matthew5...@gmail.com: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Concur with many comments here - esp. 257. I'm looking to switch from FFOX
due to performance issues but, it has an easy-to-use (and I presume secure)
method of securing saved passwords. If Chrome doesn't have it, the security
risk is too high for me and I'm left with no choice but FFOX or, find some
app that stores PC-wide passwords securely.

[chro...@googlecode.com]

Comment #259 on issue 1397 by shid...@gmail.com: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Let me just add to the (seemingly) ignored issue. And this is the same
analogy previously mentioned in another comment.

The argument against this feature says that it's just "security through
obscurity" since a user with physical access can circumvent the security.
So does this mean I shouldn't bother storing my important belongings in a
safe at home since my friends have physical access to it in my house? So I
should just leave important belongings and thousands in cash out in the
open because well, "their in my house and trusted". Lol. Does this mean I
should put my private belongings on my living table for everyone to see
since they could find it anyway in my bedroom? Should I not lock my car
since a person has physical access to the windows? Does this mean I
shouldn't encrypt sensitive data since a user with access to my machine can
find it? Does this mean I shouldn't password protect my machine at work
being that my co-workers have physical access to it and it's not secure
anyway?

Additional layers of security that are possibly crackable with physical
access does NOT mean that security is "security through obscurity" and I'm
surprised google (of all people) defined it this way. They are just
additional measures of security (crackable or not) and most if not all
things are crackable but that doesn't mean that I shouldn't have more
security added wherever possible.

I mean... c'mon google... YOU'RE STORING MY PASSWORDS IN PLAIN TEXT. Isn't
that like security 101?

[chro...@googlecode.com]

Comment #260 on issue 1397 by shid...@gmail.com: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Let me just add to the (seemingly) ignored issue. And this is the same
analogy previously mentioned in another comment.

The argument against this feature says that it's just "security through
obscurity" since a user with physical access can circumvent the security.
So does this mean I shouldn't bother storing my important belongings in a
safe at home since my friends have physical access to it in my house? So I
should just leave important belongings and thousands in cash out in the

open because well, "they're in my house and trusted". Lol. Does this mean I

[chro...@googlecode.com]

Comment #261 on issue 1397 by antem...@gmail.com: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

ROFL, can't belive this is still not implemented for 2 years?... whats the
reason and where is a statement of the dev team about this.

sorry i have not the time for a long comment, as i have now to switch back
to FF...

I just want to have a strong master password for the session, so i can save
my not so strong forum passwords here in the browser.. thats no kind ob
obscurity!

may be it has to be don by public private key? as the algorithm would be
open source but i would had no problem with that...

[chro...@googlecode.com]

Comment #262 on issue 1397 by eisi...@google.com: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Issue 102267 has been merged into this issue.

[chro...@googlecode.com]

Comment #263 on issue 1397 by richard....@gmail.com: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

those silly google android/skype guys should have been told that it is
completely ok to store unencrypted user data and they should store password
in that way as well :-)
Once you have malicious app on your pc/phone, encrypting is useless,
if you don't have malicious app you don't need encrypting. q.e.d.

http://www.androidpolice.com/2011/04/14/exclusive-vulnerability-in-skype-for-android-is-exposing-your-name-phone-number-chat-logs-and-a-lot-more/

[chro...@googlecode.com]

Comment #264 on issue 1397 by nonoit...@gmail.com: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

What about a malicious *person*? IE, someone steals your laptop. If the
passwords are encrypted, they're in no immediate danger of being
compromised. If they're unencrypted, you better hope you can race to
another computer and change them before the thief has a chance to exploit
them.

[chro...@googlecode.com]

Comment #265 on issue 1397 by m_qasim_...@hotmail.com: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Absolutely rite

[chro...@googlecode.com]

Comment #266 on issue 1397 by Steven.D...@gmail.com: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

I just now realized that Chrome lacks a master password feature, and as
such, I will be deleting it from all of my workstations and uninstalling it
until such time as Google sees fit to listen to the users.

The fact is that computers are subject to casual use by friends and family,
and I have no desire for my wife or friends to be able to see my passwords
in plain text with two clicks of a mouse. Call it a "false sense of
security" and mock if you will, but Chrome is out.

[chro...@googlecode.com]

Comment #267 on issue 1397 by xf...@gmx.com: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Use Lastpass brah, no need to sweat over stubborn devs. Chrome has other
features that makes it superior I guess. B)

[chro...@googlecode.com]

Comment #268 on issue 1397 by dragons....@gmail.com: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Since 2008? Wow. What's wrong with Google? I thought these guys were the
cream of the country. First of all, you can't deny access to everyone. A
friend comes over and wants to use facebook, you can't deny him nor can you
watch him all the time. He can easily just go to settings and sneak a peak
jst for fun. Agreed he could install a keylogger, but few people are that
techsavvy. Sneaking a peak at Chrome's settings is something few people can
do. Not to mention the antivirus scanners which make it hard to install
keyloggers. A peak at chrome setting, however is no big deal. i find
google's keylogger excuse really lame. How many average net users know
about them? How many can actually sneakily install them? How many can get
past A/Vs and install them. When a malicious bugger has access to your PC,
it sucks, he can do a lot of damage. but with Chrome, your average Tom Dick
or Harry can be a net terrorist with 4 easy clicks!

[chro...@googlecode.com]

Comment #269 on issue 1397 by wSteinf...@gmail.com: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

I can't believe that the "portable" issue hasn't been raised more
frequently.

A master password is MOST important when Chrome/Chromium is stored on a USB
Pen drive that is formatted FAT32 (with no encryption), and is shared
between (many) computers.

The whole point of having a Portable Browser is so that you don't have to
trust Cyber Cafe computers. It is MUCH more useful if it also stores
(encrypted) your passwords for each website. This SOLVES the KeyLogger
problem, since a keylogger on such an untrusted computer would NOT be able
to intercept you typing your password... the password would be inserted by
Chrome. Maybe such a Keylogger could intercept your MASTER password, but
that wouldn't compromise anything, provided that it is different from your
website passwords.

[chro...@googlecode.com]

Comment #271 on issue 1397 by vicky.da...@gmail.com: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

As this isseue is open for so long and nothing ever happens, I very
strongly believe that there is a purpose behind this. Keeping the stored
passwords easily available for any person who is interested in using them
for malicious purposes must fullfill some political goal for Google,

Maybe Google is trying to keep people from using too many different sites,
so they will ultimately concentrate on a single signon at google+? And stop
using otheres because of the security risk?

[chro...@googlecode.com]

Comment #272 on issue 1397 by vicky.da...@gmail.com: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

As this issue is open for so long and nothing ever happens, I very strongly

believe that there is a purpose behind this. Keeping the stored passwords
easily available for any person who is interested in using them for

malicious purposes must fulfill some political goal for Google,

Maybe Google is trying to keep people from using too many different sites,

so they will ultimately concentrate on a single sign-on at google+? And
stop using others because of the security risk?

[chro...@googlecode.com]

Comment #273 on issue 1397 by krtul...@gmail.com: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

Uh.... you mean it's been *CLOSED* for so long. The bug was dup'ed away
and closed
in Comment 104. See the status info: bug Closed since Oct 2009.

[chro...@googlecode.com]

Comment #274 on issue 1397 by how...@teachservices.com: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Google's refusing to add the Master Password for the browser's stored
passwords is simply telling the userbase that Google doesn't listen to
feature requests. Not everyone is going to install Chrome/Chromium in the
user's personal folder (I use the "portable" ZIP file version, with a
shortcut to put the profile folder in /chrome/profile, for example).

Not sure if I want to *ever* use Chrome again, after listening to 300+
users get ignored.

[chro...@googlecode.com]

Comment #278 on issue 1397 by the...@chromium.org: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Issue 116209 has been merged into this issue.

[chro...@googlecode.com]

Comment #284 on issue 1397 by f...@safetywolf.com: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Wow I cannot believe how long this has been a crucial issue.

[chro...@googlecode.com]

Updates:
Labels: -Area-BrowserUI -Mstone-X -bulkmove -Action-DesignDocNeeded
Area-UI Feature-Passwords
Mergedinto: 53

Comment #285 on issue 1397 by ishe...@chromium.org: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

(No comment was entered for this change.)

[chro...@googlecode.com]

Comment #286 on issue 1397 by asfin...@gmail.com: Master password is missing
http://code.google.com/p/chromium/issues/detail?id=1397

While I would love to replace firefox with chrome - firefox gets slower
with every new release - the very fact that chrome does not yet have a
master password, after several years of this feature request, is utterly
pathetic! Without this feature I can't even consider using chrome instead
of firefox for anything other than basic browsing.

Such a simple feature request - yet google still refuses to implement it...
bizarre.

[chro...@googlecode.com]

Comment #287 on issue 1397 by rouven.w...@gmail.com: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Was considering to replace Firefox with Chrome. When i found out this
option is missing, i stopped using chrome. My Computer is running all day
long and when im on toilet or something, everyone could read all my
passwords within seconds...

I'll Try Chrome again when this feature is implemented.

[chro...@googlecode.com]

Comment #288 on issue 1397 by patbue...@gmail.com: Master password is
missing
http://code.google.com/p/chromium/issues/detail?id=1397

Since I just found out my passwords are lying around unencrypted for
everyone to read and prepended with the kind notice '[password]' in front
of them in 'Login Data' (#138147) and since there is no way to set a Master
password I'm immediately stop using Chromium.

It's ridiculous that such ultra important features like a simple master
password which are demanded since #53 won't be implemented. Now we have
issues with 6-digit-number-monsters and no master password option in sight.

Google seems to have a quiet strange sense of humour, but I don't find it
funny...