SN #803 - Chrome passwords

  • SpinRite v6.1 is Released!
    Guest:
    That's right. SpinRite v6.1 is finished and released. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.
  • Announcing “BootAble” – GRC's New Boot-Testing Freeware
    Please see the BootAble page at GRC for the whole story.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)


alt3rn1ty

Member
Dec 27, 2020
20
5
@Steve in Security Now 803 you mention that to view Chromes passwords you "can say show me my passwords, and it does"

In my experience by clicking the individual passwords view icon you can only see the one password, not all of them, and ..

.. For me if I wish to remember one of my many passwords after clicking the View Password Icon, I am prompted by Chrome to enter my Windows system password to unlock it before it becomes viewable on screen. You did not mention this so ..

? Is that only if you do not have a local account windows password enabled ?


You can make all your passwords in a clear text file by Exporting them (IIRC you have to put Chrome://flags in you address bar, then in the flags page search for password and then enable Import / Export) - Periodically I do that and back that file up to an external USB drive which is locked away, and delete the file on the machine in use afterwards with Bleachbit.

So as far as I know passwords are secure by default, not saved in clear text, and if you want to back them up you have to go out of your way to do that. I prefer this to storing things in the cloud which I have no control over once the data has left my machine.

But they are not (at least not in my case) easily viewable just by clicking the view icon, I guess if someone else has your system password then its game over, or if your screen is viewable from outside the house via binoculars over your shoulder etcetera, or if you use Chrome in a public place like a library, then sure getting your passwords would be easy.

@ Anyone else please feel free to use this topic for anything else related.
 
Last edited:
I've also found that you can't just move the sql lite database file to a new PC and use it, even if you use the same username/password. The password blob is probably taking into account something about that windows login besides just the username and password.
 
I wonder also now if its a case of people using Googles Login (and all the cloud sync stuff) that may make a difference in how you are presented with being able to view passwords, I think Steve mentions that he uses it, I don't.
 
I think that the key might be entangled worth the system’s unique identifiers and the user account’s GUID… did Google document what they do to protect the data?