Comment #36 on issue 1397 by amandel.seril: Master password is missing http://code.google.com/p/chromium/issues/detail?id=1397
To add my own tuppence, and possibly sway the course of the discussion: By analogy: If I install a lock on my business's front door, I do so in expectation that the lock won't be circumvented except by the determined lawbreaker. Likewise, if I install a lock on my storeroom door, I do so in expectation that those who already have access to my business's premises will not circumvent the lock, -despite- the fact that I have already implicitly denied access to an attacker by way of the front door lock. If someone takes a "bump key" or a lockpick gun to my locks, there's little I could have reasonably done to protect against the breach (other than getting stronger locks), but that wasn't the original intent of installing the second lock. There's an old adage: locks keep honest people honest. If I've already granted (or been forced to grant) someone access to my business (or my computer), the intent of the lock on my storeroom door (or password safe) isn't to rebuff an attack, it's to keep random passersby from poking around my storeroom without my knowledge and lifting something that isn't theirs. As such, the intent isn't to make the storeroom - secure- so much as keeping it -private-. I'd suggest that this isn't so much a security issue as it is a trust issue. You may trust someone to have access to your computer without trusting them with your passwords, but this doesn't automatically mean that person is an attacker. Granted, the potential is there, but in most instances where I'm going to be trusting someone with access to my computer, I'm not necessarily going to want to give them unfettered access to my passwords as well. As an example, what percentage of the Chrome-using population is going to need to take their computer into Best Buy or Circuit City (or Future Shop or whatnot) and have someone fix it? What percentage of the technicians fixing those computers are going to take the time to brute-force a password on company time? How many passwords would be protected from prying eyes just by implementing a "privacy screen" over the password store? I should add that I didn't use a Master Password in Firefox until I checked the password list there and noted how easy it is to view passwords in plaintext. The simplicity of the process whereby someone can do likewise in Chrome makes it easy to stumble across someone's login information, possibly without even intending to. What users like me are asking for isn't a fire safe. It's a diary lock: easy to break, but keeps your little brother from reading your innermost thoughts. Comments are welcome; I'm interested to see the other side of this particular coin. -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Chromium-bugs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/chromium-bugs?hl=en -~----------~----~----~----~------~----~------~--~---
