Is saving passwords in Chrome as safe as using LastPass if you leave it signed in?
Justin Schuh defended Google's reasoning in the wake of this post detailing the "discovery" (sic) that passwords saved in the Chrome password manager can be viewed in plaintext. Let me just directly quote him:
I'm the Chrome browser security tech lead, so it might help if I explain our reasoning here. The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theater.
Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.
We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get.
I've been using LastPass under the assumption that it is better and safer than using Chrome's built-in password manager. There are two additional facts that are relevant here:
- LastPass has an option to stay signed in on a trusted computer. Let's assume I use it.
- Chrome lets you create a separate password for Google's synced data (read: stored passwords). Let's assume I do this as well.
With those givens, all other things being equal, is LastPass any safer than Chrome? It seems like once malicious software gets on my system, or a bad guy has access, it doesn't matter from a theoretical perspective, I'm 100% compromised. Is that true?
Also, from a practical perspective, is one or the other more likely to be hacked in real life? Are there certain attack vectors which are more common or more successful that would work one one of these or not the other?
PS: I don't care about friends, family or novices gaining access to my account. I'm asking about intelligent malicious hackers.
NOTE This answer may be outdated due to improvements in Chrome since this answer was written.
First of all, Chrome does encrypt your passwords and other secret data. But there's are different aspects to this depending on the setting, plus a few details that you should keep in mind.
On your Computer, In your OS
When passwords are saved locally on your computer, Google will attempt to use whatever local password vault might exist. So for example, if you're on OSX, that's the system's Keychain. If you're on Windows, it's the Windows Data Protection API (Microsoft has a peculiar skill for naming products), if you're on KDE, it's the Wallet, in GNOME it's Gnome Keyring.
Each of these products has its own implications that are worth noting. For example, if you ever sync your passwords on an OSX device, those passwords go into the Keychain (as mentioned) which has been re-branded the iCloud Keychain -- the implications of which are exactly what they sound like: now Apple knows your saved passwords too, and will sync them to your iPhone, your iPad and any other Apple devices. That may be precisely what you wanted. And maybe not. Just be aware.
The Windows Exciting Names And Data Protection API Professional Edition boasts no such features. Your passwords are on your computer, and there they stay until further notice. Call it old-fashioned or call it safe. But bear in mind that Microsoft has a history of chasing Apple, and may decide to do so here as well.
In the Cloud
In addition to any unintentional iCloud syncing as mentioned above, Chrome will also sync your passwords between Chrome instances. This means sending your data to Google. Yes it's encrypted.
How is it encrypted? That's up to you. You can either use your Google Account (the default), or you can set a special "sync passphrase". While I have no special knowledge of the internals of these two options, the implications appear pretty straight-forward.
If you use your Google Account password, then the passwords are decrypted with no further intervention on your part. Note that the actual password is in fact required; access to the Google Account alone isn't sufficient. I've seen situations where Chrome had successfully managed to log in and fetch its sync data through external authorization but was not able to decrypt it until I typed in the original Gmail password. The advantage, therefore, of using a separate "sync passphrase" is to make sure that anyone who has your Gmail password (presumably Google could, for example) will not have your sync password.
Remembering autocomplete=off Passwords
The geek.com article mentioned brings up an interesting point, but that point is traditionally argued from a position of... unenlightenment. It's a common position held by "privacy advocates" (particularly the kind for whom I'd put that term in quotes) but the security implications are very, very, very clear, and very definitely, squarely on the side Google takes.
I've written about this already. Go read that other answer and then come back. I'll wait.
OK, back? OK, here are the critical points while they're fresh on your mind:
autocomplete=offwas an intervention added to turn off a very dangerous feature. That feature is not the password saving we've been talking about.
The feature we've been talking about helps users. That other one was a misguided attempt at being useful by filling in forms using things you typed on other websites. So imagine an autocomplete assistant like Clippy, but with worse social skills: "I see you're trying to log in to Ebay; I'll just fill in your login from Yahoo and we can see if that works." Yeah, we had funny ideas about security back in the 90's. You can see why putting
autocomplete=offinto everything even remotely security-related quickly became a bullet-point in site audits.
By comparison, the autocomplete that we've been talking about is a very carefully-controlled security-enhancing solution. And if you use it for anything at all, you'll want to use it for your most secure passwords? Why? Phishing.
Phishing is literally the single most dangerous online attack facing you. It's super-effective and super-devastating. It doesn't get nearly the attention it should because we always just point a finger at the stupid user who gave the Syrian Electronic Army his password. But defending against phishing is really, really hard, and exploiting it is therefore really, really easy. Furthermore, a successful phishing exploit has unlimited damage potential, all the way up to shutdown-the-whole-bloody-company sort of disasters.
And in protecting against phishing, your single greatest weapon is a browser-integrated password manager. It knows where your passwords should be used, and locks you out from using them unless you're actually looking at the right site. It's not fooled by look-alike domains or "site seal" graphics, it knows to check the SSL certificate and knows how to check the SSL certificate. It keeps your passwords locked up until you're ready to use them and staring at the correct login prompt.
Should the Chrome password manager ignore the
autocomplete=offmessage? MOST DEFINITELY YES.
Should you use it? If you're using LastPass then you're fine sticking with that. But this should be considered a reasonable alternative if the caveats mentioned above don't bother you.
If you're not using any password manager, then start using this one right now. It's safe by any reasonable measure, and in particular, far safer than not using it.
You said LastPass doesn't store my password nor implicitly grant access when I'm logged in. But when I set it to remember my computer, I can boot up and go directly into LastPass and view my passwords without entering my LastPass password. Also, I had the impression that if you use the Google sync passphrase that I linked to, it encrypts your data with it and they don't know your password. I'm still not sure how all of this pans out in terms of my passwords actually being stolen by malicious people/programs.
@brentonstrine ah. I didn't realize you meant the option that persists between reboots. Yep, that saves your password. Google sync does now have the option to encrypt synced data w/ your login password. Which you could argue is better than nothing, though the fact that they have your password means they can decrypt your data. So whom are you protecting yourself from?
To be honest, if the NSA wants my data, they can subpoena it directly from Gmail or Facebook or whatever. I'm more worried about what the media ominously labels "hackers."
@brentonstrine And "Hackers" don't just get data in transit. I will be forever angry at LinkedIn for inadvertently giving my email address, company name, and company position to every spammer in the world.
I think you're slightly mistaken on how Chrome encrypt passwords on Window. It looks like it is using the OS "CryptProtectData" API which doesn't use the username as key but uses a password derived from the user Windows password (it's a bit more complex that this, but that's the idea). It means that the password are protected against other users but any process in the same login context will have access to them. Pretty much exactly as with Keychain, in fact.
@Stephane It appears that Chrome has overhauled their mechanism for protecting saved passwords, so this may be obsolete.
Yup, but your description of what google does (did) to protect the passwords on Windows is still incorrect.
Windows DPAPI supports additional entropy (i.e. master password) on a per application basis so that the data is not visible to all processes running as the user account. Chrome has to specifically use this mechanism though. OS X's keychain by default only allows the application that created the passwords to access it. Other applications require user confirmation. A separate keychain with a different password can also be used.
Ultimately, Justin's point was the same as your observation that even LastPass passwords would be 100% vulnerable to malware present on your machine. Your machine is where the ultimate security lies.
The Elliot Kember post claims that your overall safety is increased if you require a master password to view other passwords. And he has a valid point. There is definitely an advantage to reducing your attack surface, and his claim is that Google's not even trying in that regard. Elliot claims that Justin's "false sense of security" ignores the human element, which is that 95% of the people you might loan your machine to are incapable of exploiting it. However, if you loan your machine to your worthless brother-in-law, he might do something foolish that exposes you to a virus -- your brother-in-law isn't deliberately exploiting you, but he's a potential vector for infection.
All in all Justin's argument also exploits human behavior. If Chrome lets other people easily see your passwords, you'd be stupid to let someone else use it without close supervision. Both sides have valid points.
The unspoken problem with Chrome is that unless you click an obscure advanced sync option, your sync password is the same as your Google password. So by default Google has the ability to decrypt your sync file and access your passwords. You've now spread your attack surface to include completely trusting Google to protect all your passwords. Is Google trustworthy? The simple answer is to ask why Google would ever snoop on your passwords and risk damaging the trust people have for them. But do they turn them over to the authorities when presented with a warrant and a National Security Letter? Those questions have unknowable answers, yet they're dealing with your personal security.
You can go one step further, though, and actually improve your security through trusted hardware. You can link your LastPass account to use a YubiKey for dual-factor authentication. It's a USB key that acts like a keyboard, but you keep it on your keyring next to your house key. It provides a seemingly random string to Lastpass that Lastpass can then use an algorithm to verify, granting you access to your account. Even on a totally pwned machine where malware can intercept the passwords in active use, as long as it doesn't have clipboard access or you're using the Lastpass browser plugin, your passwords are safe.
Does Google store my password where they could decrypt my saved passwords if they were issued a subpoena? In theory, couldn't they only store a salted hash of my password and be unable to decrypt my password list? They can freely share encrypted password lists to all signed in chrome browsers, and then require the chrome browser to keep your Google password in RAM and persisted with the OS keychain. Google knows my password when I log in, but their login servers can immediately forget my password once authenticated. Their login servers and chrome password servers dont need to communicate.
You are asking about how to be secure under the assumption that a malicious actor has started a process on your system (or hijacked another process with their own code) running with "user trust".
On Windows, you could trigger this action yourself by -- for example -- downloading
http://example.com/virus.exeand then running it voluntarily. Even if you are never asked for a UAC prompt, your system is still effectively compromised.
On Linux, you could trigger this action by downloading a binary (or even a shell script, Ruby script, Python script, Java jar, etc), making it executable, and running it.
The security model of most OSes -- especially those which have not been very specifically configured with a strict Mandatory Access Control policy, which they almost never are out of the box for convenience -- is unable to mitigate a compromise at this level.
The following potential attack vectors immediately present themselves on Windows, Mac OS X, desktop GNU/Linux, desktop BSD, Android, iOS, etc., assuming a malicious actor is able to run some form of code with user trust on the system/device:
- Mouse/Keyboard capture or injection: capturing keystrokes, mouse movements/clicks, or injecting the attacker's own keyboard/mouse actions.
- Screen scraping or injection: capturing screenshots or video of the display output, or injecting the attacker's own arbitrary data to the screen to make you think you're doing one thing while actually doing another.
- Web browser hijacking: stealing session cookies and uploading them to a remote server.
- Arbitrary reads of any data on your filesystem that you can access manually as a user, and sending that data to the attacker's server.
- Using published or unpublished exploits at the system API layer (C library, security libraries, authentication libraries, kernel interface, etc.) to elevate permissions from user to administrator level, and then perform more advanced compromise techniques (rootkits, etc.) that aren't typically possible as a regular user, to further exfiltrate data or confuse the user into typing their passwords or personal information, which is then keylogged and exfiltrated
Given this list of possible attack vectors, and probably others I'm missing, it is impossible for any "password manager" to actively prevent any/all of these methods from being exploited to either steal your data, or make you think you're at a legitimate website where you then unwittingly submit your credentials or personally-identifiable info to the attacker.
Let's put it this way: if Cross-Site Request Forgery and Cross-Site Scripting or Heartbleed are comparable to having your front door wide open, trying to have any meaningful security within a password manager under a scenario of malicious program(s) running under user trust is like trying to sleep peacefully when you can see a robber in your bedroom who's rifling through your personal valuables and putting interesting ones in a big bag.
So you're answering the first part of my question ("is LastPass any safer than Chrome from a theoretical perspective given a compromised system?") with a definitive "no." What about from a practical perspective? Is one or the other more likely to fall prey to common attacks?
From a practical perspective, the most common way to exfiltrate data for a malicious client-side program running with user trust is to (1) capture keystrokes, and (2) send them to a remote server. Both LastPass and Chrome (and any other system involving passwords *whatsoever*) are wholly and completely vulnerable to this technique. You type your password and you're owned.
To me this is like saying that you don't need to bother locking your car because if someone really wanted to get in they'd just smash a window.
Even if you leave your LastPass session signed-in (which is not advisable if anyone else has access to your computer), it is still stronger in several ways than using any system where the keys are stored on the disk (Chrome).
The LastPass keys can only be accessed (in memory) while the session is logged in, while the Chrome keys can be accessed at any time if you have file access. This means the latter is susceptible to a larger range of attack vectors:
- Even if you keep your computer physically secure, if someone has access to an unencrypted backup drive, cloud backup or local network backup, they can get your keys. For example, the computers at my work backup user profile files onto SMB network shares - the file transfer is not encrypted so anyone with access to the network or the disks of the backup server, or the backup disks, or even future access to those disks, would get all my passwords if I saved them in Chrome.
- After your computer is locked or shut down, it is not possible to access the keys in LastPass, but the keys in Chrome are still on disk (assuming your hard drive is not encrypted.) A motivated attacker can just take out the hard drive or take the whole computer.
- If it's a remote attacker, it is far more straightforward to have a malicious program copy a few Chrome files from your user account than it is to get a malicious program to access the currently open LastPass session. LastPass may block other user level software from accessing its memory and manipulating its window input, and software trying to take control of the screen or keyboard may alert virus scanners. [Note that it's still probably easy to replace program shortcuts and intercept a future execution of LastPass, but that requires you not to notice the intrusion.]
Of course if you leave your computer unlocked and someone walks up and gets all the passwords, then it's your own fault, but at least with LastPass you have the option of locking the session and making it considerably more involved.
You are assuming "intelligent malicious hackers" who have installed malicious software on your system. Any difference between any two password managers is marginal and purely a matter of luck at that point, not a designed security guarantee.
If you are worried about security, go to two factor authentication for the entire google stack AND use a chromebook. Not a mac nor a windows pc. Start with gmail, drive, calendar, etc.
Chromebooks are limiting in some ways, but much, much, much more resilient to advanced persistent threats. If they get a back door in the network they can intercept your chromebook traffic, but, they cannot get a persistent foothold or backdoor in your device. It is extremely difficult.
I work for a cyber security company. All our employees are under constant attack. I did a memory dump on my windows device about once a month and then a rebuild. no joke. very tiring.
Chromebook was a great alternative. More secure. You get used to working in sheets, doc and then use excel, word, pdf-adobe as an archive for the document in that instant. A different and better way of thinking. Collaboration is built-in. Calendar works great. Once you get used to the different approach to starting with collaborative documents, if you want, instead of constant versions in ms office you will like it alot. but you need to get used to it and it is different. different isn't better, different is different! so be patient.
As the LastPass advocate at work - the security is largely equivalent between Chrome and Lastpass as password managers.
LastPass maintains a recovery key in browsers by default (it can be switched off), so even if you don't stay logged in someone with access to your account can reset the access if they have access to your email/SMS.
LastPass has many selling points, cross browser support, Enterprise features etc, but I don't think any of these make it more secure.
The selling point for us is that it offers some basic Enterprise reporting. So I can tell if my users are using LastPass, that they have 2FA, and are using random passwords (or at least equally strong ones).
You can disable the recovery token, restrict access by country, whitelist devices, and enable 2FA, but it is still a browser plugin with various complex local access.