Update: Looks like the title that I had used in the previous version of this article is being accused of being “clickbait”. It was not my intention. I have changed the title anyway based on your comments here and on Reddit.
Here is the most exciting Chrome OS news that you will read today (unless there is a confirmation on a new Chromebook purchase in your email that is!). Chrome OS will soon ask you to enter your login password or lock screen password to view saved passwords.
I use Chromebooks and write about them almost every day. Gosh, these days I am even making videos about them. I assumed that the saved passwords on Chrome OS work similarly to that on Chrome on Windows and macOS.
On your Windows computer or your MacBook, if you try to view one of the saved passwords, it will ask you re-enter your computer’s password. This is to make sure that people cannot steal your saved passwords if you ever leave your computer unlocked and unattended. You should never leave your computer unlocked, but I am just saying.
On Chrome OS, this isn’t the case. If I log into my Chromebook and hand it over to you while I go grab my coffee, you can go to my Settings app and view all of my passwords. You could even export the whole thing into a CSV file and send it to your email address and delete it from my “Sent” folder (Am I making it easy for you here?)
This loophole was left open due to some technical challenges. Here is what the bug submitted this feature request has to say about this:
On Windows, MacOS, Android and iOS we ask the user to enter their OS credentials before revealing the password. On ChromeOS there is no API to do that (AFAIK). This did not make it to the password manager team’s priority list because of the effort to introduce such a reauthentication mechanism.
This is changing. Looks like the team has found a workaround. We might soon see at least a partial solution.
Challenges and Workarounds
Interestingly, there is another place where Chrome OS will re-authenticate you before making any changes. That is your lock screen settings. If you go to chrome://settings/lockScreen, you will have to enter your Chrome OS login ID before you can make changes.
The plan is to use this method for the password manager as well. However, there is another challenge. You can reveal saved passwords from the password bubble while you are on a website. Hopefully, the team will soon find a workaround for this too. Maybe they already have. Some of the code for this change was added to the Chromium OS repository today. It talks about enabling “lock screen on Chrome OS for viewing passwords.”
Policy for Enterprise Users
If you are an enterprise admin with a fleet of Chromebooks, there is a workaround for you too. The team will create a new policy that you can apply to your devices. This new policy will disable the feature that lets users view saved passwords.
At least that’s the current plan according to the bug report.
Anyways. I was really surprised to learn that my passwords weren’t really safe on Chrome OS. Luckily, this will soon change.
What do you think? Did you test saved passwords after reading this post? Let me know in the comments.