Someone who can access your computer, unlocked, can login to your Facebook account (the password is saved), change the password, verify the email, re-save the new password, and it's just as easily "game over". You would never know what happened. Justin is absolutely right. His group is doing users a service by making these things more transparent. Folks who make exceptions based on this "security through obscurity" model should not be security tech leads.

Surely you see the difference between someone copying all of your passwords without your knowledge, and someone resetting your password for a single website that you would immediately notice when you check your email? They are two completely different types of attacks.

Changing the password is a fair point that I hadn't considered

I think that most people on here haven't considered this. In fact, I arrived at your comment by searching the page for "reset". The majority of folks seem too focused on trying to outclass Justin and/or getting in the last word. They're not thinking. Just for fun, I went to see how many licks it actually does take to get to the center of a tootsie roll pop i.e., clicks to reveal a password using the passwords dialog box in Chrome? There are about 27 keyboard button presses for the URL, then a mouse click for the Show button. Fair enough. Too bad I can get to the password reset field in Facebook in 3 mouse clicks, using my bookmarks bar. I'm pretty sure that I won't need 25 more clicks for the verification email. So if we're all just gauging security by how difficult you can make getting at a password, then I beat Justin. And my "exploit" is platform independent.

I'm not trying to outclass anyone, I'm simply not sure that this is the right solution and so far I'm fully convinced by what he said. I'm sure he's way smarter than I and I'm probably missing something. Take everything I say as it is: a comment on the internet.

This being said, security through obscurity is never an optimal solution, but again going back to my "safe" analogy (not unbreakable, just hard to break). If a hacker wants to change the password, it takes a few clicks to locate a site where the user could be logged in. Then the clicks required to get a new password. Add the delay of email reception and so on... It takes more time and effort to do that than just click "show me all the passwords" and take a photo with a smartphone. Plus doing so will give you 1 password only.

About the keyboard presses count, let's say I use both mouse and keyboard.

ctrl+, (shortcut to settings) click to advanced click to manage click show

It's 4 operations. In my opinion, it's way shorter to do that and get ALL the passwords of a given user than try to change the Facebook password. Again, and I'm really stressing this out, it's not about making an unbreakable system. It's just making it a bit harder to break.

Don't most sites require that you enter your old password before you can change it?

Indeed, I guess this is a +1 against storing passwords plaintext (well, obtainable in any case) - as a person could change your password and take over the account completely

Not if you use the "reset" option. Which... you have their email account. So...

Heh. I wasn't even thinking about the "Forgot your password" feature. Better still.

I tend to have ways to remember passwords, so I never need this, but ok your use case makes sense. Thanks for sharing!