Password Settings Page: Showing Passwords in Plaintext

[Kyle Horimoto]

Hey team,

I'm working on the chrome.passwordsPrivate API, and I came across an issue I wanted to ask about. In the existing settings page, the saved password metadata is displayed in the UI when it loads. If you want to check out the actual password in plaintext (instead of the placeholder dots), you can click show, which results in the JS making a chrome.send() request to the C++ layer, which then fetches the password and sends it to the JS.

I was wondering if/why the extra round-trip is necessary. Would it be okay just to send all the passwords in plaintext as part of the data sent to the page when it is initialized? I was thinking it might have some security implications, but I can't really think of a reason why it would be any more secure to send the passwords in a separate message as opposed to bundling them with the other data and sending them all together.

I figure it would make for a simpler and easier API if the extra round-trip could be eliminated, but I wanted to make sure that I'm not missing anything before I go that route. Let me know if there's something I'm not understanding properly! Thanks!

Kyle

[Kyle Horimoto]

I looked at the C++ code, and it only shows the password when requested. Is there a concrete reason why the current pattern is preferable? I don't think I should be spending extra time engineering the "only send the password to JS if requested" solution unless we have a real issue we can point to that it solves.

On Tue, May 5, 2015 at 7:36 PM, Steven Bennetts <stev...@google.com> wrote:

You should look at what the c++ code does, but ideally we shouldn't even decrypt the passphrase unless/until the user requests to. The less it is in memory, the lower the risk. Even though it is more work, I think the current pattern is preferable.

--
You received this message because you are subscribed to the Google Groups "Chromium Settings" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-setti...@chromium.org.
To post to this group, send email to chromium...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-settings/CA%2Bmjahmbi5a_H2w9PtLaqVFap26fmPotCmsvHCFSyL9zP0GJpg%40mail.gmail.com.