Don’t let Chrome expose your passwords

Do you still struggle with remembering your password? Is this despite our many attempts to help you: “Train your Brain: Don't put your password on paper!" (article here), “Creativity@CERN” (article here) and “Maths to the rescue!" (article here)? Then you might have considered the “save your password” features in Chrome, Firefox or Internet Explorer… these features remember your Facebook, CERN, Twitter, Amazon and ebay passwords. But be careful: it might be easy for someone to read them!

 

If enabled, Chrome, Firefox, Internet Explorer and others can remember the password of specific sites after you’ve logged in to those sites the first time. As the passwords are, however, stored in plain text, they can still be read out by anyone with access to that computer. In Chrome, just type “chrome://settings/passwords” and click the password you want to reveal. Or in Firefox, go to “Options->Security->Saved Passwords…” and hit “Show Passwords”. Internet Explorer does not provide such a “simple” option, but there are tools that can access your saved passwords in this browser too(1).

If you are security-aware and want to be on the safe side, never ever type your password into a PC that you don’t own or don’t trust. Examples of such public PCs include those in Internet cafes, hotels and conference venues, as well as those available near the CERN Users Office, in the CERN Library or in the CERN training centre. If you have to, use private browsing, e.g. the “incognito window” in Chrome, the “Private Window” in Firefox and “InPrivate Browsing” in Internet Explorer. Also consider changing your password once you’re back on your personal PC. In order to store passwords on your personal PC, protect the password vaults with a master password. In Firefox, you “Use a master password” in “Options->Security”. For Chrome and Internet Explorer, the master password is tied to the logged-in account. Alternatively, you can use generic password vaults like KeePass or Password Safe(2).

However, Google has made a strong statement on this issue, stating that the security of your passwords on your own PC strongly depends on who has access to it. And right they are. The ultimate security for all your individual passwords strongly depends on the protection level of the PC you use; whether all of its applications, in particular its operating system and browser(s), are up-to-date and patched; the way you browse the Internet and handle emails (“Jekyll or Hyde? Better browse securely”); and finally how strong and secure your account’s password is. Recommendations on the choice of a good password can be found on our website.


(1) Very helpful technical documentation on this can be found here.

(2) Note that usage is of your own risk. Neither the CERN Security Team nor the IT department support these tools.


Check out our website for further information, answers to your questions and help, or e-mail Computer.Security@cern.ch.

If you want to learn more about computer security incidents and issues at CERN, just follow our Monthly Report.

Access the entire collection of Computer Security articles here.

by Computer Security Team