Shared publicly  - 
There is a new experimental flag in the last Chromium Build for Mac that you might be interested in.

Once you've enabled the chrome://flags/#enable-password-manager-reauthentication flag, user who's trying to reveal a plain text password in chrome://settings/passwords will be prompted to reauthenticate with the User Mac OS password.

When you are authenticated, you won't need to reauthenticate anymore for one minute. 

Matthew Garbett's profile photoAlan Peery's profile photoMauro Cerbai's profile photoOisín Mac Fhearaí's profile photo
That's great....... I may for once begin to save my passwords..... But, will this make it to other platforms?
This is a good feature! Bring this to all other platforms as well, especially mobile since people seem to carry mobile devices around a lot more than Mac :)
This is huge. Great work Chromium team, I like where this is headed. Please please please implement something similar for Windows :) 
Linux (At least my KDE Desktop) already supports this and has password storage for chrome enabled without experimental flags. In fact ever since I started using Chrome/ium there hasn't been an issue regarding this feature.
+Mathspy Terabithian the point is mobile devices are more vulnerable to ending up in a strangers hand than laptop .... the probability of anyone handing their laptop to a stranger (or a friend) that wants to look at their passwords is comparatively lower than someone losing a phone and losing their personal information along with it!
+Sathya Vasudeva Well, that's the job of Google Play's Device Manger not Chrome
You can erase your whole data if needed. Or just locate and lock it from there if you don't already know that.
+Mathspy Terabithian if +Google Chrome team feels that way, I don't think they are feeling it right! :) And I am not just referring to mobile device for "Android Phone" ... whether you have other means to secure your data or not, it is Chrome team's moral responsibility to secure the information on Chrome browser
+Sathya Vasudeva you have made the point perfectly. If you don't secure your device this feature does nothing. If you do, it offers 2 things; Protection from people you loan your devices to and a false sense that your passwords are better protected than they were before this feature.
This a great fix. Hope to see it in other platforms too
Hmm, if Chrome did this and still stored your passwords in plain text (as it currently does), would it be an improvement or is it giving a false sense of security?

Edit: Chrome doesn't store them in plain text.
Any software can copy and decrypt chrome passwords so... dont leave passwords in chrome. 
Will this feature make it into the main versions of Chrome?
That thing should have been implemented from day one but better late than never...
Good move.. It would be great if it authenticates with Google account (for users who as signed-in with Google account in Chrome), instead of system user account. System credentials are often shared.
+Balaji Alavandar try an experiment. Log out of google AND the browser and then try to access the passwords and see what happens.
Use the chrome-sync details to force re-authentication, make it cross platform. Done. 
Nice. Let me make a suggestion: I want to be able to plug in my YubiKey NEO, go to a website, and hit the button (or touch the back of my phone). Pull the YubiKey, and the browser is deauthorized.
+Abhilash Bingi I don't know why you think passwords are stored in plain text when we have said many, many times that they are not.
+Peter Kasting That's what I thought reading all the press this issue got after Elliot Kember made a blog post about it and the response from chrome team was that it was working as intended.
I went back and read some of them, and I admit I was wrong in assuming Chrome stores them in plain text. TIL, thanks.
I think this should be on all platforms I know Google has been against it previously but it only makes sense.
Off topic: is there someway to re-sort the Google apps in Chrome's app bar?
Waste of time, you guys should spend your time on something more useful! This is as previously mentioned just false security. And if you are silly enough to leave your computer unattended in the first place this is not going to stop people from getting access to your accounts if you've saved passwords in the first place. I'm getting tired of users/people bringing such issues up wasting everyone's time when there are bigger more important issues we all should be spending our time on..
+Peder Johnsen at least it keeps my gf from reading my emails. I'm kidding here, but you get the idea : it's gonna block 99% of people who have no real knowledge in computer science.
+Julien Teyteau but that's the thing, it won't. If you leave your computer unattended and don't lock the screen, anyone can still sign into anything you've saved a password for just by going to that service. So sure it's harder to get access to all your services because the person would have to guess what service you use, but once on there it's easy to login if you've saved the password. Usually when only 1 user for that service is saved, it's already pre filled too and you just have to press login.
There's a reason for this : if there's no password, it's to force people to use the OS sessions system. Profiles in Chrome are just there for convenience and to manage multiple profiles of the same person. (according to Google)
When will protecting these password be the default setting, as it always should have been?
Waiting from 2008... That's great... Hope for the other OS too...
+Peder Johnsen I don't follow your argument. This isn't just about leaving your computer unattended and unlocked (of course you should lock your computer whenever you walk away from it).

Let's say someone steals my laptop. It's running Linux, and sadly Chrome doesn't support this "experiment" in Linux yet.

The attacker doesn't know my password, but they can use a live CD to mount the filesystem and reset the password to "hello".

Then they log into my account, open Chrome and are able to immediately view all stored passwords in plain text. This could have been prevented by having a master password.

How is that a "false sense of security"?
You could perhaps prevent that by enabling encryption of user directories, depending on your OS. However, that may not be possible due to: 1) work policy, or 2) not being willing to pay the (slight) performance overhead of constantly decrypting/encrypting your files.

The point is, having a master password is NOT just a false sense of security. It makes some forms of attack much more difficult.
Add a comment...