gmail saved passwords visible in field



  • Hi, with current Vivaldi and new gmail login page it is possible to see saved password.

    Just click to select saved password and then click at the "eye" icon. The password is shown in plain text.

    As far as I can remember this was not possible with older Vivaldi (and older gmail login page).


    modedit added tags, edited title


  • Moderator

    On Windows 10 with 2.3.1440.48 i can not see the passwords on chrome://settings/passwords without entering Windows account password.

    How can i reproduce your issue?



  • W10, Vivaldi 2.3.1440.48

    You cannot see password on chrome://settings/passwords without entering Windows account password - that is correct.

    But go to gmail login page and then you dont need any password to see saved password.

    Gmail.com -> Choose an account -> choose one with saved password -> click to the password field and choose the saved password -> click at the crossed eye -> password is revealed without Windows login password needed


  • Moderator

    @bac Can confirm this with 2.3.1440.48.
    I will check if Chromium 72 and 73 and 74 do the same.
    Same on Chr 72, 73 and 74. Looks like a Google feature.

    Not nice for privacy! Blame Chromium devs and report bug on https://bugs.chromium.org/p/chromium/issues/list


  • Moderator

    Clicking on the crossed eye is a feature. I believe its intended use is for you to be able to ensure you typed the password correctly.

    This is usually an issue for people who maybe have issues with typing, or if they use a mobile device with a small keyboard which could introduce typos.

    A number of online services are beginning offer something similar, it's not just google.

    EDIT: Re-reading the post, I can see how this would be considered an issue.


  • Moderator

    If Autofill is activated a password field contains the password for a login.
    You can check it by inspecting the password form field and change the type="password" to type="text" . I guess that is what Google does on their page.

    Some nice pages related to such made-visible fields:
    https://totallynoob.com/Reveal-Password-From-Input-Boxes-With-Chrome-Tools/
    https://www.youtube.com/watch?v=wh-XcmRQFhI
    https://www.w3schools.com/howto/howto_js_toggle_password.asp



  • So what does it mean? Is it a Google problem that can´t be fixed with Vivaldi?


  • Moderator

    @bac It is a not a browser problem, so it can not be fixed by Vivaldi.
    Google's webdesigner have created the problem on their website.



  • OK, thank you.


  • Moderator

    I recently encountered a case where such a "view typed password"feature would have been helpful. I was helping an older person who was having difficulty with typing a password - in that they couldn't remember how much of a long password they had already typed.

    I think for those users, this feature is incredibly helpful.



  • Yes, it is helpful when you type the password. It is a security problem when it is that easy to see encrypted saved passwords.


  • Moderator

    @bac said in gmail saved passwords visible in field:

    It is a security problem when it is that easy to see encrypted saved passwords.

    Why is it a security problem for you? You have to hit the eye icon to reveal the password.
    If anybody sits in font of your PC it is a risk that this person can spy your data.

    If you want to stop automatic insert of logins, open vivaldi://flags/#fill-on-account-select , set to Enable and Restart Vivaldi.
    Now a click on a list in needed to insert the login.
    Is that better for you?

    Who can steal your logins if this person does not interact with your browser? What is your concern.



  • Stored passwords are encrypted. All stored passwords are supposed to be encrypted - that is a common sense.
    But because this bug/feature gmail passwords are not effectively encrypted it is like they are stored in plain text.

    Maybe it is not such a big deal but it is still a weakness.


  • Moderator

    @bac said in gmail saved passwords visible in field:

    But because this bug/feature gmail passwords are not effectively encrypted it is like they are stored in plain text.

    No, you misunderstand. The passwords are stored encrypted in the database. But they are retrieved from password database, decrypted and inserted in login fields.
    You can not send a encrypted password to the webserver, because it could not decrypt it for a login. That is why you have to use SSL connections to habe a encrypted connection where nobody can read in the middle.

    I agree, that password-only login is weak if you have not a Two Factor Authentication (2FA) by smartcard, hardware key or OneTimePassword.


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.