[liberationtech] And now for some completely different flame... Chrome + password management
Patrick Mylund Nielsen
cryptography at patrickmylund.com
Wed Aug 7 21:09:08 PDT 2013
Encrypting the passwords with a master passphrase wouldn't be useless. At
the very least it makes it harder to extract plaintext passwords from a
discarded harddrive. On the other hand, a master passphrase doesn't offer
nearly as much security as users think it does when they enable the
feature. It doesn't make it "safe" to let another person use your computer,
for example. (Even if the attacker is an "illiterate" shouldersurfer, they
can download tools that trivially extract the passwords after the store has
been decrypted--not to mention that there are many other ways the passwords
can be compromised where it simply doesn't matter that you have a master
password, or that the store is encrypted.)
As you said, both sides are right, and both sides are being dicks about it.
A master password gives a false sense of security, but it also defeats the
most rudimentary "oh let's log into his/her Facebook and post a stupid
message, lol! I know how to see their passwords!". "We want people to lock
their screens/log out/shut down their computer when they don't use it" is
an respectable and beneficial position of Google to take, and I can only
shake my head in response to them getting this much bad press for it.
(Virtually all the press I've seen has made it sound like other browsers
don't in fact store passwords in a reversible format when clearly this is
necessary for the autofill/autologin feature to work at all.)
On Wed, Aug 7, 2013 at 10:04 PM, Brian Conley <brianc at smallworldnews.tv>wrote:
> Are they being irresponsible or aren't they?
>
>
> http://mashable.com/2013/08/07/chrome-password-security/?utm_cid=mash-com-fb-main-link
>
> That is a serous question in interested to hear a variety of opinions on,
> both for and against Google's position, OK go!
>
> Spoiler alert, I think both players are being jerks and not considering
> the importance of outreach and how users learn...
>
> --
> Liberationtech list is public and archives are searchable on Google. Too
> many emails? Unsubscribe, change to digest, or change password by emailing
> moderator at companys at stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130808/ea7740f2/attachment.html>
More information about the liberationtech
mailing list