Hello, welcome to the Wednesday, May 18, 2020 edition of the Sands and Storm Center's Stormcast. My name is Johannes Ulrich.

Entertainment from Jacksonville, Florida.

Passwords, of course, always get in our way and we know they don't really work, but we still use them.

And one way to balance usability and security with passwords is password managers.

Now, if you are installing and using a third-party application as a password manager,

those applications typically go through quite a bit of pain to make sure

the passwords are properly protected. However, on the other end, we also have still building

password managers that come with your browser. And the question is really, you know,

how good, how bad are they? And that's something that Xavier ran into recently when he looked at this in Google Chrome.

The way this came up was that they had an incident and apparently some administrator passwords were compromised.

Now, of course, the question was, where did these passwords come from?

In this particular case, Xavier found the account names in Google Chrome,

and then he took a closer look at how the passwords were encrypted.

They were encrypted.

However, the key is exposed, and that's a very common problem

when you're dealing with encryption at rest where

keys are exposed of course a better password manager probably would have protected that key

with a password or maybe even some secure enclave that many operating systems are offering

these days.

Good question from one of our readers.

Why did Google Chrome not take advantage of something like keychain or such?

Well, don't have an answer for it.

...