谷歌浏览器用户密码安全难保

新华网8月9日电据美国科技网站Gizmodo报道，谷歌浏览器根本没有密码保护的设置，可侵犯广大用户的安全利益。

首次操作谷歌浏览器会发现一些有意思的东西。一日， Gizmodo小编正在使用谷歌浏览器创建一个应用程序。平时小编都是使用Safari浏览器的，但Safari经常会在小编无防备时隐藏文件，所以有时小编也会换用谷歌浏览器。

看到这个指令，小编决定点击谷歌浏览器的“现在导入书签”链接，看看能不能把Safari的书签栏导进去，这样两个浏览器用着就更方便了。但小编没有想到会看到这个：

小编感到很奇怪。为什么“存储密码”是灰色的，而且是必选？为什么还要前面给选择框？这根本就是一个伪选择。小编认为这个设定很有误导性，原因在下面：

这是谷歌浏览器设置面板中的一页：

看到“显示”键了吗？它的功能和你猜的一样。

没有主密码，没有安全保护，甚至没有提示“密码对他人可见”。不相信小编的网友请点击谷歌浏览器的chrome://settings/passwords

这个问题可从开发者和用户两个立场来看。两种角色对于计算机的工作有着截然不同的观点。每次小编试图呼吁大家都关注，技术人员的通常回应都是这个：

使用1Pass就行了

一旦开始操作计算机，就已经不安全了

密码管理就是这样的

虽然上述观点都对，但它们不能解决一个根本问题：谷歌根本就不清楚自己的密码安全问题。

谷歌在YouTube、影院预热片、广告牌上宣传自己的浏览器，接触这些广告的不是开发人员，而是大众市场中的用户，一个庞大的群体。他们根本就不知道谷歌浏览器是这样设定的，他们也没想到自己的密码可以轻易就被看到。每天，数百万普通用户都在谷歌浏览器中存储他们的密码。我们不能任由谷歌这样做。

这个对话框更有误导性。通过使用“机密信息”和“存储到你的钥匙串（密码管理系统）”这样的字眼，OSX系统描述用户的默认密码的安全状态。这层安保正是谷歌浏览器意图越过的，谷歌浏览器通过直接显示用户密码，无需通过钥匙串管理系统，无需要求提供密码。当用户浏览每一个网站时，谷歌浏览器都能读取用户在该网站使用的密码。

小编建议大家去找一个不通技术的人借电脑，访问chrome://settings/passwords 并点击“显示”，看看他们会说什么。

小编敢打赌，他们肯定不会说“密码管理就该是这样设置的”。

更新信息：谷歌浏览器安全主管贾斯汀·舒说，我错了，但我们不会修改这个设定。

译者：贺飞

百度新闻与新华网国际频道合作稿件，转载请注明出处。Google Chrome"s Insanely Open Password Security Strategy

Chrome does something interesting when you first run it. The other day, I was using Chrome in development for an app. I use Safari for day-to-day browsing, but it has a habit of aggressively caching files when I least expect it, so from time to time I switch to Chrome.

I decided to hit Chrome"s “Import bookmarks now” link and see whether I could import my bookmarklets from Safari, so things would be nice and consistent between the two browsers. I didn"t expect this:

This struck me as particularly odd. Why is “Saved passwords” greyed out, and mandatory? Why have a check-box? This is the illusion of choice. I think it"s deeply misleading, and this is why:

This is a page in Chrome"s settings panel:

See that “show” button? It does what you think it does.

There"s no master password, no security, not even a prompt that “these passwords are visible”. Visit chrome://settings/passwords in Chrome if you don"t believe me.

There are two sides to this. The developer"s side, and the user"s side. Both roles have vastly different opinions as to how the computer works. Any time I try to draw attention to this, I get the usual responses from technical people:

Just use 1Pass

The computer is already insecure as soon as you have physical access

That"s just how password management works

While all of these points are valid, this doesn"t address the real problem: Google isn"t clear about its password security.

In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It"s the mass market - the users. The overwhelming majority. They don"t know it works like this. They don"t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay.

This dialog is even more misleading. By using words like “confidential information” and “stored in your keychain”, OSX describes the state of your saved password"s current security. It"s the very security Chrome is about to bypass, by displaying your passwords, in plain-text, outside your keychain, without requiring a password. When you visit a website, Chrome prompts for every password it can find for that domain.

Today, go up to somebody non-technical. Ask to borrow their computer. Visitchrome://settings/passwords and click “show” on a few of the rows. See what they have to say.

I bet you it won"t be “That"s how password management works”.

Update: Justin Schuh, head of Chrome security, says I"m wrong, and that this is not going to change.

This post first appeared on and is republished with kind permission. You can follow him on Twitter here.

海外就医服务

名医汇

就医挂号网