Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@. Skimlinks & other affiliated links are turned on

Search
  • FIRST POST
    • Former MSE Helen
    • By Former MSE Helen 21st Aug 13, 4:39 PM
    • 2,324Posts
    • 971Thanks
    Former MSE Helen
    MSE News: Google Chrome warning: Be careful with online passwords
    • #1
    • 21st Aug 13, 4:39 PM
    MSE News: Google Chrome warning: Be careful with online passwords 21st Aug 13 at 4:39 PM
    "It's been revealed that online passwords are stored with little security on Google Chrome, so users should beware..."

    Read the full story:

    Google Chrome warning: Be careful with online passwords




    Click reply below to discuss. If you havenít already, join the forum to reply. If you arenít sure how it all works, read our New to Forum? Intro Guide.

Page 1
    • keyser666
    • By keyser666 21st Aug 13, 5:32 PM
    • 2,045 Posts
    • 1,571 Thanks
    keyser666
    • #2
    • 21st Aug 13, 5:32 PM
    • #2
    • 21st Aug 13, 5:32 PM
    Hardly anything new?
    • dtaylor84
    • By dtaylor84 21st Aug 13, 5:53 PM
    • 635 Posts
    • 519 Thanks
    dtaylor84
    • #3
    • 21st Aug 13, 5:53 PM
    • #3
    • 21st Aug 13, 5:53 PM
    What a ridiculous article.

    Whilst Internet Explorer and Firefox may give the option of encrypting all your passwords using a "master password", I think you'll find (almost) no one bothers to set one! Where's the dire warning for users of those browsers to set the password?

    Ultimately, if the browser is able to send your password to the remote site without you having to type it (or another master password) then quite clearly your computer knows the password, and anyone with access to your computer can find it too!

    And given the (lack of) strength of passwords chosen by most users, storing them unencrypted on their own PC is the least of their worries.
    • VisionMan
    • By VisionMan 21st Aug 13, 6:33 PM
    • 1,554 Posts
    • 673 Thanks
    VisionMan
    • #4
    • 21st Aug 13, 6:33 PM
    • #4
    • 21st Aug 13, 6:33 PM
    My passwords got hacked because of the above. And I didn't understand how. So my son said 'Did you save passwords in Chrome?' to which I replied I didn't know. So without using a password, he went into Chromes ' Advanced Settings' page and there they were, unprotected. They have since been deleted.

    And how many other non Chrome savvy users don't know this either? Because not everyones an expert, you know.
    • dtaylor84
    • By dtaylor84 21st Aug 13, 8:35 PM
    • 635 Posts
    • 519 Thanks
    dtaylor84
    • #5
    • 21st Aug 13, 8:35 PM
    • #5
    • 21st Aug 13, 8:35 PM
    My point isn't that this is not a problem. My point is that this is the wrong problem to be worrying about.

    1. It's not just Chrome -- people save their passwords in all browsers, and almost none of them will both know how to and be bothered to set a master password in them.

    2. It's the wrong problem to worry about. If someone has managed to gain access to your computer to view your unencrypted passwords, they have sufficient access to install a keylogger and get all your passwords anyway.

    3. It's entirely the wrong problem as most password compromises happen at the other end. Hackers don't attack a single computer and steal one user's passwords. They attack a company and steal passwords for the entire userbase. Hopefully, if the company is remotely competent, these will be hashed passwords, but well over 50% of passwords are so weak they can be easily guessed by a computer in minutes or hours.

    If MSE want to champion computer security, it's certainly a worthwhile cause. But this article is (as usual) misleading and sensational.
    • SewerSide
    • By SewerSide 21st Aug 13, 8:42 PM
    • 121 Posts
    • 116 Thanks
    SewerSide
    • #6
    • 21st Aug 13, 8:42 PM
    • #6
    • 21st Aug 13, 8:42 PM
    Massively much more important is to use different passwords for every site. That way if one site gets hacked, they cant reuse your email and passwords on other sites.

    If you want to securely store passwords in Chrome (or other browsers), use an add-on such as Lastpass or Keepass. Lastpass in particular is very good at importing your passwords from your browser, helping you change them to more secure passwords, and making them accessible from any browser you use. (Keepass has a free Android app as well).
    • zagfles
    • By zagfles 21st Aug 13, 8:53 PM
    • 14,117 Posts
    • 12,225 Thanks
    zagfles
    • #7
    • 21st Aug 13, 8:53 PM
    • #7
    • 21st Aug 13, 8:53 PM
    As I understand it IE will encrypt the stored passwords with the user's password as the key - so other users shouldn't be able to see them unless they know your password. Not sure about firefox.
    • zagfles
    • By zagfles 21st Aug 13, 9:05 PM
    • 14,117 Posts
    • 12,225 Thanks
    zagfles
    • #8
    • 21st Aug 13, 9:05 PM
    • #8
    • 21st Aug 13, 9:05 PM
    Massively much more important is to use different passwords for every site. That way if one site gets hacked, they cant reuse your email and passwords on other sites.
    Originally posted by SewerSide
    Definitely! Seem to remember there was some scam a few years ago along the lines of some website offering freebies, you just had to register with a username and password. They then tried that same username and password on all the internet banking sites and yes, some people were daft enough to use the same username/password!
    • VisionMan
    • By VisionMan 21st Aug 13, 9:17 PM
    • 1,554 Posts
    • 673 Thanks
    VisionMan
    • #9
    • 21st Aug 13, 9:17 PM
    • #9
    • 21st Aug 13, 9:17 PM
    My point isn't that this is not a problem. My point is that this is the wrong problem to be worrying about.

    1. It's not just Chrome -- people save their passwords in all browsers, and almost none of them will both know how to and be bothered to set a master password in them.

    2. It's the wrong problem to worry about. If someone has managed to gain access to your computer to view your unencrypted passwords, they have sufficient access to install a keylogger and get all your passwords anyway.

    3. It's entirely the wrong problem as most password compromises happen at the other end. Hackers don't attack a single computer and steal one user's passwords. They attack a company and steal passwords for the entire userbase. Hopefully, if the company is remotely competent, these will be hashed passwords, but well over 50% of passwords are so weak they can be easily guessed by a computer in minutes or hours.

    If MSE want to champion computer security, it's certainly a worthwhile cause. But this article is (as usual) misleading and sensational.
    Originally posted by dtaylor84
    I know what your point was. And a valid one it is too.

    But you missed mine. If anyone, be that family, friends, or my childrens mates can view all my passwords via Googles advance settings page, thats just poor. And highly alarming too.

    The MSE article is valid. And right to point it out too.
  • NewFolder
    There are a lot of bad things people could do if you leave your computer unattended and unlocked. The easiest solution is to either lock the screen (windows logo key and L) or even better, save some battery life and/or electricity and put it into standby.

    Most browsers have this feature and have done for years. It can be incredibly useful if you ever forget a password.

    At least in chrome, it only reveals passwords individually. In Firefox, there's a big button which will reveal EVERY username and password you have saved in the browser, meaning someone could get your credentials for your email, facebook, internet banking, and any other accounts you have, instantly.
    • DJ Mike
    • By DJ Mike 22nd Aug 13, 7:15 AM
    • 237 Posts
    • 212 Thanks
    DJ Mike
    Thanks for the pointless anti-Chrome sentiment and driving people onto inferior browsers, MSE.
  • Money-Saving-King
    I was expecting this article to be useful and tell me something I didn't know. It's not exactly done that as most of us have just found out!
    • Million Percent
    • By Million Percent 22nd Aug 13, 9:01 AM
    • 188 Posts
    • 206 Thanks
    Million Percent
    My advice:

    1. Never use the password save feature of a web browser

    2. Use different passwords for all sites

    3. Make your passwords strong (ie. minimum of 8 characters, containing a mixture of lower case and upper case letters, numbers and special characters where supported)

    In my opinion it is better to have a strong password that you keep written down than have an easy to remember password that can easily be guessed or cracked. The risk of someone breaking in to your house and stealing the piece of paper you have them written on is very low. The risk of an easy to break password being hacked online is much greater.


    Geek Alert!

    A technique I use is to create a number of easy to remember password 'elements' and then combine them in different ways to form multiple passwords. I then record my passwords in a form of code that only I understand but is very easy to remember.

    For example:

    I like Formula 1, so I could create a password element based on a driver's surname. Let's use 'alonso'. I then modify this by making the second letter a capital and converting the 'o's to zeros so we get 'aL0ns0'.

    I could make as many of these password elements as I like based on different subjects but always using the same modification strategy (ie. second letter captial, convert 'o' to '0'). I then use the subject name as the code for that password element.

    The second part of my password is a number that I know off by heart eg. a loved one's mobile number. Let's say it's 07123456789. What I'll do is append a number of these digits to my chosen password element. If we take my aL0ns0 element and combine it with the first 3 digits of my number then we get aL0ns0071. For reference this scores 89% for password strength at www.passwordmeter.com. By adding an exclamation mark on the end it scores 100%. So we have a very strong password which is 'aL0ns0071!'

    This would be difficult to remember so we can write it down in a code the makes it easy to remember. My code for this password would be:

    f1-3-ex

    I know my F1 password element is 'alonso' with my conversion technique applied. The 3 represents the first 3 digits of my memorable number and the ex means an exclamation mark.

    By using various combinations of different password elements, different numbers of digits from my memorable number and various special characters I can make many secure passwords without having to remember them character by character.
    • KxMx
    • By KxMx 22nd Aug 13, 9:05 AM
    • 7,579 Posts
    • 11,079 Thanks
    KxMx
    I never have used this feature, always seemed like an unnecessary risk to me.
  • zennith
    And in other news - people without Anti Virus software installed are more likely to get infected.
    • devizes18193
    • By devizes18193 22nd Aug 13, 10:11 AM
    • 1,458 Posts
    • 685 Thanks
    devizes18193
    What it does though is store all your user ids on mobile chrome
    • Tropez
    • By Tropez 22nd Aug 13, 10:11 AM
    • 3,358 Posts
    • 11,789 Thanks
    Tropez
    Personally, I find it easiest to use a password generator that allows you to create a password without even typing it in and then stores the password for one-click entry but using high-level encryption. You need to have a master password setup to be able to use the service, which protects against this type of fault.

    The simple truth is that nobody should be using public terminals or shared computers to access sensitive information because not only can these problems occur but they can also be relatively easily inserted with keyloggers and other scripts designed to steal information.
    • richardw
    • By richardw 22nd Aug 13, 12:00 PM
    • 18,963 Posts
    • 8,003 Thanks
    richardw
    My advice:

    1. Never use the password save feature of a web browser...
    Originally posted by Million Percent
    Exactly! can't see the point of saving them anywhere.
    Posts are not advice and must not be relied upon.
  • kkid
    Can it be added the to article ways of maintaining the functionality of storing passwords on your computer but with improved security through the likes of password add-ons such as lastpass?
    • kingmonkey
    • By kingmonkey 22nd Aug 13, 7:27 PM
    • 830 Posts
    • 252 Thanks
    kingmonkey
    This is not news. Its been like this for years.

    Your meant to have a password for each user that uses the computer.
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

3,032Posts Today

7,752Users online

Martin's Twitter