Skip to content

The road to hell is paved with outdated passwords…

So I am using Chrome in a corporate context. Outdated password regulations force me to increment my password every three months. The reason for that is well understood (PCI compliance), but can’t be changed from inside the corporation.

Previously, Chrome stored my passwords in the Apple Keychain. So I could script this, using /usr/bin/security and push my password change into all saved passwords, or, alternatively, bulk delete all those old passwords.

Recent Chrome does not do that any more.

Instead the Apple Keychain contains a master password and the Chrome store is implemented internally.

It has no scripting interface, so you have to use the UI.

Click three dots, navigate to Remove, select item, repeat.

The UI does not have a bulk search and delete interface. Instead, you have to go through all 300 individual * items, and individually select the three dots menu, navigate to Remove and select Remove. Thankfully, no confirmation requester.

You could select Details, but that’s that: No way to edit for you.

No edit for you, come back one year.

So here is what happens: I now have 300 autosaved outdated passwords in my Chrome password store. Each time I am going to a company website matching *, it will autocomplete wrongly. After 3 attempts, I will lock myself out.

I might remember that, and at some point in time many of those will be updated. Some sites which I am not using as often will still have the password of old. And there is no way to see.

Yay. Not.

Published inComputer ScienceHackerterrorcybercyber


  1. Tobias Klausmann

    On my Linux machine, the saved passwords live mostly* in .config/google-chrome/Default/Login\ Data, which is an sqlite DB and thus can be changed if the browser is not running.

    * Mostly because as of late there seems to have been a separate online store as well, which is weird and I wasn’t asked about.

  2. Woo

    Einer der vielen Gruende, wieso ich mich weigere, Chrome zu benutzen…

  3. Anton

    Enpass(.io) supports a neat browser extension, which connects directly to the running Enpass application.

    I’m now forcing myself to abandon all browser-internal password stores, as Enpass also allows to update passwords, search for “expired”/”old” and duplicates.

    • kris kris

      Yes, that’s what I am doing at home. Work has a lot of HTTP Authentication which requires passwords in browser dialog boxes instead of HTML. Chrome has no API for that, so things like Enpass, 1Pssword or Lastpass have no access to these. That sucks.

  4. So your password is encrypted with the master password, like
    and there is
    g(x, masterpass) = pass
    which is used to get your password back.

    This might be a bit of shooting in your own head through your left foot, but if you can’t change “x” automatically but you know f, why not do it the other way round. Every time you need to change passwords, remember a new masterpass.
    But since we dont change x into y, the inverse function
    g(x, masterpass_new)=
    gives the new password.

    So in a nice world of happyness, you would just change your passwords according to the new masterpassword. This is pretty much what pwdhash [0] does.

    (yes I know, we’re not in a world of happiness and we cant have nice things and pwdhash fails because password-rules)


  5. The actual improvement would be to use SSO for those company services, then you do not have the developer running the Mensa site have access to the domain passwords of management

  6. mrfusion

    No SSO? Not even Kerberos?

  7. AndreasLobinger

    FdI 553: SSO
    Die Zebrastreifen wurden eingeführt, um die Fussgänger nicht einzeln, sondern massenweise überfahren zu können

  8. Martin

    Im Jahr 2050 werden wir immer noch diskutieren, wie wir Passwörter sinnvoll implementieren oder durch was besseres ablösen…

Leave a Reply

Your email address will not be published. Required fields are marked *