Feeds

Chrome makes new password grab in version 34

Even with autocomplete off, Google will ask if it can 'help' by storing your passwords

Protecting against web application threats using SSL

Google has announced that Chrome 34 is now stable enough to be promoted to the Stable Channel. In a few days it will therefore become the default version for millions of users.

Most of the updates to the browser are anodyne: there are 30-odd security fixes, a new look on Windows 8 and what Google labels “Lots of under the hood changes for stability and performance”.

But Chrome 34 will also “ … now offer to remember and fill password fields in the presence of autocomplete=off.” That means that if a website turns off automatic password collection, Chrome will offer to do it anyway if password manager is enabled.

Chromium developers justify this move by saying “It is the security team's view that this is very important for user security by allowing users to have unique and more complex passwords for websites.”

Google also says the decision is in line with its belief in the priority of consistencies, an idea that suggests “In case of conflict, consider users over authors over implementors over specifiers over theoretical purity.”

That last link is to a 2011 post from Chrome security chap Adam Barth and specifically addresses the password manager issue, as follows:

The password manager is a source of conflict for these competing interests. Implementors (myself included) believe that password managers improve security by reducing the costs of using a large number of more complex passwords. Many banks, however, disagree. They believe that password managers reduce security because passwords stored in password managers can be stolen by miscreants.

How do browser vendors resolve this conflict? By default, we enable the password manager. Because users have a higher priority than implementors (i.e., browser vendors), browsers let users turn the password manager off. Because authors (i.e., site operators) also have a higher priority than browser vendors, browsers let authors disable the password manager on their own web sites by setting autocomplete=off.

It's still possible to turn off autocomplete with a “ "--disable-ignore-autocomplete-off"” flag. Just how many average users whose browsers update to Chrome 34 without their intervention care, or care to make that change, is anyone's guess. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.