Google Chrome, lack of transparency and security with keychain passwords.

Did you know that when you login to Google Chrome, it pre-fills the OSX Keychain with all your saved passwords?

And when you sign out of Google Chrome, it helpfully removes those passwords? Wrong! No it doesn’t!

This is a major problem if you’re using someone else’s machine temporarily. A work machine perhaps? My job requires me to move around from office to office, and usually I use my own MacBook. Some occasions call for using a different machine.

Moving passwords into the keychain

I’ve recently been at an agency which asked me to borrow a MacBook for two weeks, and as expected Chrome pulled down my passwords for me. Handy, until I worked out they were actually being stored in the keychain for anyone with admin rights to see. Simply change my password and VoilĂ ! You’re into every password I’ve saved in Chrome, plain text for all to see.

The only way to rectify this isn’t the expected “Sign out of Chrome”. Doing so will still leave all your password in the keychain. You’ll need to head into the keychain, locate all your password and delete them.

The problem is Chrome never notifies you of this, and it can cause issues with security and privacy. It’s another addition to the issue over plain text passwords being accessible with only a couple of clicks. I was shocked a year or so ago when someone at Technophobia showed me all my passwords when I handed them the machine to fix an issue. His words were “be careful in future”.

Thanks Chrome!