Google has been criticised for making it easy to access someone’s stored passwords if the attacker can get on to a target’s Chrome browser.

The problem is a simple yet controversial one: Google does not protect passwords from being viewed when a user is logged in and running Chrome. It means anyone can walk up to a machine and grab stored passwords from Chrome.

The tech titan believes this is the best way forward for usability and security.

To view stored passwords, a user simply has to go to the advanced settings page, then click on the “Passwords and forms” option, followed by “Manage saved passwords”.

Password hackAlternatively, they could just use the URL chrome://settings/passwords. Clicking on the list of obscured passwords reveals what they are.

There is no option to add security around stored passwords, not even the option to add an extra password to access them.

“Google isn’t clear about its password security,” said developer Elliott Kember, who blogged about the issue. In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It’s the mass market – the users. The overwhelming majority.

“They don’t know it works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay.”

Head of Google’s Chrome developer team, Justin Schuh, said Kember’s assessment was wrong, suggesting that Google would be giving a false sense of security if they changed the model.

“You think your passwords are protected somehow in other applications, but they’re simply not. The fact is that they’re still trivially recoverable, and if the bad guy can read them at all than he already has access to fully compromise your entire OS user account,” he added.

“So, you’re arguing that we take measures to make users think they’re safe when they’ve already surrendered any pretense of security. Effectively, you’re asking that we lull our users into a false sense of security.”

TechWeekEurope