Those two threat vectors are not protected by a password system. They simply log in to your account, do a password reset, and update accordingly. Right?
On Wed, Aug 7, 2013 at 2:09 PM, Cédric Beust ♔ <[email protected]> wrote: > A nosy coworker or jealous girlfriend/boyfriend. Someone without much > technical knowledge but with a little bit of evil will toward you. Someone > who won't go to the extremes of breaking into your house but who might take > advantage of an unlocked workstation or a lunch break to steal very > valuable information from you. > > Safari gets it right, I'm betting Chrome will too very soon. > > > -- > Cédric > > > > On Wed, Aug 7, 2013 at 10:52 AM, Josh Berry <[email protected]> wrote: > >> I think the question is what threat model would this protect against? >> Seems their take (and at face value, hard to argue) is that it does not >> actually add ANY security. What are your arguments against? (Any actual >> threat vectors?) >> >> >> On Wed, Aug 7, 2013 at 1:05 PM, Fabrizio Giudici < >> [email protected]> wrote: >> >>> I had this question in mind for some time to ask here, but so far I >>> didn't because after all was a well known theme. But I see that the point >>> has been reprised by Engadget, so I have the excuse of commenting its post >>> ;-) >>> >>> >>> http://www.engadget.com/2013/**08/07/chrome-saved-passwords/<http://www.engadget.com/2013/08/07/chrome-saved-passwords/> >>> >>> https://news.ycombinator.com/**item?id=6166731<https://news.ycombinator.com/item?id=6166731> >>> >>> Key point: Chrome doesn't protect user passwords with a master key. >>> Google says that, beyond the o.s. login, everything else is "just theater" >>> and would provide "a false sense of security", encouraging "risky >>> behaviour" by the user. >>> >>> With all the respect that I owe to Google and its engineers... may I >>> humbly say that this sounds to me as supreme nonsense? It sounds as saying >>> "listen, a fence is just theater as it takes ten seconds to be broken. So >>> we didn't build any fence around our plant". Still, all the military bases >>> I know have a fence as the first level of protection. I've never seen one, >>> but I guess that Google data centers are protected by a fence too. Are >>> those guys just stupid? >>> >>> Out of the metaphor: I've always understood that good security is made >>> by a layer of things, the former ones could be even easily breachable, but >>> they act as a first gross filter. >>> >>> Practically, I've learned Google's point a few weeks ago when I moved to >>> Chromium. I applied their point, making sure that Google data are on an >>> encrypted partition; and I've always taken care of my laptop, e.g. making >>> sure that when I move the encrypted partition is unmounted. This of course >>> to protect a whole bunch of data other than Chromium passwords. Still, >>> sometimes you can get distracted for just a few seconds and I don't think >>> it's human to ask people to lock the screen when they just turn around. A >>> master password would just prevent the nearby co-worker from peeking his >>> nose in such circumstances. Without master password, it's really a matter >>> of seconds to get to the passwords. >>> >>> Your opinion? >>> >>> >>> -- >>> Fabrizio Giudici - Java Architect @ Tidalwave s.a.s. >>> "We make Java work. Everywhere." >>> http://tidalwave.it/fabrizio/**blog <http://tidalwave.it/fabrizio/blog>- >>> [email protected] >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Java Posse" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to >>> javaposse+unsubscribe@**googlegroups.com<javaposse%[email protected]> >>> . >>> To post to this group, send email to [email protected]. >>> Visit this group at >>> http://groups.google.com/**group/javaposse<http://groups.google.com/group/javaposse> >>> . >>> For more options, visit >>> https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> >>> . >>> >>> >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Java Posse" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at http://groups.google.com/group/javaposse. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > > -- > You received this message because you are subscribed to the Google Groups > "Java Posse" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/javaposse. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Java Posse" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/javaposse. For more options, visit https://groups.google.com/groups/opt_out.
