Shared publicly  - 
 
The Reauthentication Dialog for passwords has been enabled by default last week in chromium and after Mac OS¹, this feature is now ported over Windows in the last chromium build as you can see in this screenshot below.

As you might expect, clicking on the "Show" action at chrome://settings/passwords will prompt you to reauthenticate with your Windows Account to reveal the plain password.

¹ https://plus.google.com/+FrancoisBeaufort/posts/2zhYDGP822Z

Source: https://codereview.chromium.org/34393007
65
10
Ian Cummings's profile photoDennis Vitt's profile photoÖzgür Turanlı's profile photoJames Walker's profile photo
18 comments
 
I'm curious why this would be the Windows password and not the Sync Passphrase or Google Account credentials (in the case that this browser profile is being synced to the Google cloud).

Edit: Especially since it is guaranteed that there WILL be a password under those cases, whereas many Windows PCs don't have a password protecting their Windows profiles.
 
Because this feature has nothing to do with Chrome Sync. Not everyone connects their Chrome install with their Google account? 
 
You can argue about the necessity of this, but this is definately the ideal solution that should please all.
 
+Sushubh Mittal I wouldn't dismiss it so casually? True, not everyone does. But for those that do, the intuitive security challenge would be the Google password or passphrase.
 
I don't know a lot about the MacOS keychain, but my understanding is that Chrome was saving/accessing passwords from that keychain.  In which case this feature made perfect sense -- you were interacting with the system's password manager and thus you should authenticate with the system.

But under Windows, you aren't doing that -- the password storage is somewhere within Chrome (disclosure: I have no idea how this actually works ;-) ).  So the natural authentication challenge should be the Chrome credentials.  Either none if you aren't using Google Sync, or the Sync credentials if you are.

That's just my two cents.  I'm not trying to give people grief.
 
Personally? You are accessing information protected by Windows password so it makes more sense. Also... Anyone logging into Chrome on his Windows machine is likely to be technical enough to have a properly configured user account. Security of Chrome's local storage has nothing to do with your Google account. 
 
btw, I love your facebook user name :)
 
+Stephen Foust-Christensen On Windows, Chrome stores your passwords as data encrypted by your OS user account password.  The access model is thus very similar to Mac OS' keychain, and thus if you're going to prompt for a password to access the data, the user account password, not a Google sync password, is what makes sense.
 
+Peter Kasting thanks for the clarification -- I didn't realize the model was that similar between Mac OS and Windows.

I still suspect that users would find the Google Account password more intuitive (especially when there are multiple Chrome profiles at play), but if it is currently encrypted under the OS user account password then that makes sense.
 
Surprised that it uses CredUIPromptForCredentials  rather than CredUIPromptForWindowsCredentials which suits newer versions of Windows better.
 
+Michel Memeteau Linux is pretty secure as is, I'm sure it can wait for the chromium team/external developer to fork it and port it to Linux.
 
How does this help on a PC or Profile that has no password?

My wife's PC has no password, and my daughters profile has no password. My daughter forgot the password to a site that she wanted to access from her phone.

It asks, we press the OK button with the password entry field blank, and it gices an error saying that we need to enter a password.

Can't enter one if it doesn't exist.


EDIT: Found the solution under another of your posts:
https://plus.google.com/+FrancoisBeaufort/posts/2zhYDGP822Z

chrome://flags/
Disable Password Manager Reauthentication Mac, Windows
Click Enable
Restart Chrome
Done!
Only Chrome makes you Enable to Disable....FTW!
 
Didn't try creating a temp password. Didn't want to go thru the hassle of making one, then removing it, just to see a password on chrome, and then likely having the pc decide that I couldn't remove the password :)
Add a comment...