Whoa, whoa, whoa. Let's all take a step back and try to see the forest for the trees. I read Mr. Kember's article (as well as numerous others linking to it around the web today) and what I read made me concerned enough to delete all of my passwords from Chrome until I understand a little more about the issue.
justinschuh seems to have a deep technical understanding of programming and program security so I will defer to his greater understanding and make sure that I secure access to my computer when I am not physically present.
With all of that, my concern is that justinschuh seems to believe that anyone who has physical access to my computer and wants to do something malicious will have a deep understanding of programming, and that is silly. What about my druggie cousin who comes to my birthday party. He has no programming skills, but if he knew one simple URL he now has passwords to my bank account, my Amazon account and a ton of other accounts that he can use to transfer money or otherwise feed his habit at my expense. Or how about my ex-wife who gains access to my laptop because my daughter needed it for a school project. Now my ex, who has zero programming knowledge, nor does she understand what "threat model" even means, has passwords to all of my accounts including Facebook and Twitter that she can use to seriously harm my social/professional life.
So, you see, I get that you understand the programmatic "threat model," my problem is that you seem to be too smart to see that not all threats come from tech savvy "hackers." Some threats just come from opportunistic malfeasors, and I don't need to add any new opportunities to the seemingly unending list of ways people can screw up my life.
This is exactly my feeling too. Justin seems too smart by half.
His attitude is very much like an ivory tower academic who is befuddled that people don't follow best practices.
I also get the feeling he's not used to having to admit he's wrong. I guess you don't make it to 'head of security' at Google by having a little humility but his responses are really not very encouraging.
You should probably direct your anger to the author of the article for exposing this to people like your druggie cousin who comes over for your birthday party if that's your main concern.
As long as your password keychain is unsecured, EVERY browser does this -- it's just a matter of knowing where the passwords are stored in the browser as plaintext. If you don't want people to access your accounts, then secure them. You can't have your cake and eat it too. Either your passwords are conveniently stored in plaintext so you can login easier, or you take actions to secure your account and add a step to the login process.
justinschuh seems to have a deep technical understanding of programming and program security so I will defer to his greater understanding and make sure that I secure access to my computer when I am not physically present.
With all of that, my concern is that justinschuh seems to believe that anyone who has physical access to my computer and wants to do something malicious will have a deep understanding of programming, and that is silly. What about my druggie cousin who comes to my birthday party. He has no programming skills, but if he knew one simple URL he now has passwords to my bank account, my Amazon account and a ton of other accounts that he can use to transfer money or otherwise feed his habit at my expense. Or how about my ex-wife who gains access to my laptop because my daughter needed it for a school project. Now my ex, who has zero programming knowledge, nor does she understand what "threat model" even means, has passwords to all of my accounts including Facebook and Twitter that she can use to seriously harm my social/professional life.
So, you see, I get that you understand the programmatic "threat model," my problem is that you seem to be too smart to see that not all threats come from tech savvy "hackers." Some threats just come from opportunistic malfeasors, and I don't need to add any new opportunities to the seemingly unending list of ways people can screw up my life.