[liberationtech] And now for some completely different flame... Chrome + password management

[coderman]

On Wed, Aug 7, 2013 at 9:09 PM, Patrick Mylund Nielsen
<cryptography at patrickmylund.com> wrote:
> Encrypting the passwords with a master passphrase wouldn't be useless...

even if this is useful, it is a policy that should be implemented in
the key manager and not the browser (or any other app, each on an
ad-hoc basis, each with their own controls and configuration and
assurances, each with their own flaws and shortcomings).

consider KeyChain on Android with keystore and hardware backed secret
storage - if you use the standard interfaces instead of rolling your
own you get hardware protections where available without any
additional effort. the same applies to desktop key manager policies;
apps should rely on existing infrastructure rather than implement
their own solutions poorly.


again, policies and configuration like master passwords, session
timeouts, explicit authorization, etc. are all the domain of a key
manager and not the browser or any other app.


the only thing Google could have done better is provide a more visible
and useful description of how Chrome uses existing key management
facilities on the desktop to save passwords and where the user can
find out more about how this service functions.