Google and Microsoft are working together to improve Chrome security
Microsoft has been working to rebuild the Edge web browser using the same open-source Chromium engine that powers Google Chrome for a while now. Most spectators thought that this would lead to Edge becoming more like Chrome, but did anyone see this change coming that makes Chrome just a little bit more like Internet Explorer 10?
What has just happened to the Google Chrome browser?
Don't panic, though; this isn't as bad a thing as it sounds. It's good news from the security perspective for both Microsoft Edge and Google Chrome users. Indeed, it is evident that when you bring two technology giants together good things can, sometimes, result. In this case the good thing in question involves passwords, it has been revealed.
Revealed being the operative word. The latest stable build of the Google Chrome Canary browser, the developer version of Chrome where experimental new functions get tested before being rolled out to the release version, now features something called "password reveal."
The stable build of Chrome Canary 78 has got a password reveal button added to the password field when you are typing your website login credentials. This revelation of the obfuscated password "dotted string" occurs when you hit the little eye icon that appears in the input field. Or at least it does if you are signing into Reddit or Disqus; otherwise it's a busted flush right now.
This is the feature that Alex Keng, a developer on the Microsoft Edge team, described in a commit (or revision if you prefer) to the Chromium open-source code on July 26. However, it is also a feature that has been present in Internet Explorer since 2012. You can also expect to be able to use it in the Chromium-powered version of Microsoft Edge, in due course. For Microsoft fans, the latest “Edge Canary” build is where you can see it first.
Is password reveal a secure feature?
The reasoning behind such a feature is that the user can see the password that has been typed in to check it is correct. This can be useful if your login has been denied for using the wrong password, especially when retries are limited. However, it does raise some security questions. Not least, is it a securely implemented function? After all, your web browser can automatically fill login credential fields if you have configured it to save passwords. So doesn't that mean an attacker could, if they had access to your device, use that automatic fill and then reveal the password? Thankfully not, is the correct answer.
According to Keng "A keydown handler is added to support Alt-F8 hotkey to reveal/obscure password and logics are added to make sure the reveal button only appears with direct user input. If the password is not empty in the first place (ex. autofill or value=xxx) or the control loses focus and regains focus, or the value is changed by script, the reveal button won't show.
The ethical hacker opinion
Ethical hacker John Opdenakker says that "it’s showing what’s in the input field, it’s client-side. I could do the same in the browser with the browser tools anyway, and I don’t see any additional risks." Apart, that is, from the shoulder surfing potential. This is where an onlooker can see what you have entered and copy it. Of course, that shoulder surfing attacker could also watch your fingers on the keyboard, so it's a risk that applies under any circumstances.
Opdenakker says that "using a password manager has the benefit of eliminating the shoulder surfing risk from a password reveal feature. Also, you cannot make input mistakes when using a password manager for autofill."
The problem with password managers, apart from the fact that most users still don't rely on them, is mainly one of the websites that disable the pasting or auto-filling of passwords on security grounds. The reality is that by disabling the paste function those sites are potentially weakening security rather than strengthening it.
