Description of the issue:
If saved passwords are enabled and used, the browser settings page lists every site with a saved password with the option to see that password in the clear. Is this not a huge security issue? Anyone who can walk up to your computer can open your browser settings and very easily find every password you’ve saved.
Steps to Reproduce (add as many as necessary): 1. 2. 3.
In the browser settings page, navigate to the Passwords page. Make sure Offer to Save Passwords is enabled.
Log in to any website with a password field.
Brave asks if you want to save the password. (This prompt also has the option to view the password in the clear.)
If you allow the password to be saved, the site is listed on the Passwords settings page and there is an option to view the password in the clear.
Actual Result (gifs and screenshots are welcome!):
If passwords are saved, the passwords are viewable.
Expected result:
It should not be so easy to see someone’s passwords.
Reproduces how often:
Always
Brave Version(about:brave):
Version 0.57.18 Chromium: 71.0.3578.80 (Official Build) (64-bit)
Reproducible on current live release (yes/no):
yes
Additional Information:
I understand that if you’re saving a password in the client, you need to have the actual raw password text available for it to be of any use. The entire concept of saved passwords is insecure and one solution is to simply turn off the feature and not use them. Yet for users who rely on this feature, I feel like there could be a better compromise between convenience and security if the passwords were at least more protected from the casual user. Possibly have an option like “never display passwords in the UI” which can’t be switched off from the UI. (or remove the ability to view passwords altogether)