chrome 保存密码_您保存的Chrome浏览器密码的安全性如何？

chrome 保存密码

A common question about the Google Chrome Browser is “why isn’t there a master password?” Google has (unofficially) taken the position that a master password provides a false sense of security and the most viable form of protection for this sensitive data is through overall system security.

关于Google Chrome浏览器的一个常见问题是“为什么没有主密码？” Google(非正式地)认为主密码提供了一种错误的安全感，对此敏感数据最可行的保护形式是通过整体系统安全。

So exactly how secure is your saved password data inside of Google Chrome?

那么，您在Google Chrome浏览器中保存的密码数据到底有多安全？

查看已保存的密码 (Viewing Saved Passwords)

Chrome, includes its own password manager which is accessible via Options > Personal Stuff > Manage saved passwords. This is nothing new and if you allow Chrome to store you passwords, you are probably already aware of this feature.

Chrome浏览器包含自己的密码管理器，可通过“选项”>“个人资料”>“管理保存的密码”进行访问。这并不是什么新鲜事物，如果您允许Chrome存储密码，则可能已经知道此功能。

A nice touch of minor security is that you must first click the show button next to each password you want to view.

次要安全性的一种很好的修饰是，您必须首先单击要查看的每个密码旁边的显示按钮。

While there is no restriction to access this screen (i.e. if you have access to the desktop where Chrome is installed, you can get to the passwords), there is at least user intervention required to view each password with no way to export them in bulk to a plain text file.

虽然没有访问此屏幕的限制(即，如果您可以访问安装了Chrome的桌面，则可以获取密码)，但是至少需要用户干预才能查看每个密码，而无法批量导出它们到纯文本文件。

密码数据存储在哪里？ (Where is the Password Data Stored?)

The saved password data is stored in an SQLite database located here:

保存的密码数据存储在以下SQLite数据库中：

%UserProfile%\AppData\Local\Google\Chrome\User Data\Default\Login Data

％UserProfile％\ AppData \ Local \ Google \ Chrome \ User Data \ Default \ Login数据

You can open this file (the file name is just “Login Data”) using SQLite Database Browser and view the “logins” table which contains the saved passwords. You will notice the “password_value” field is unreadable because the value is encrypted.

您可以使用SQLite数据库浏览器打开此文件(文件名仅为“登录数据”)，并查看包含已保存密码的“登录”表。您会注意到“ password_value”字段不可读，因为该值已加密。

加密数据的安全性如何？ (How Secure is the Encrypted Data?)

To perform the encryption (on Windows), Chrome uses a Windows provided API function which makes the encrypted data only decipherable by the Windows user account used to encrypt the password. So essentially, your master password is your Windows account password. As a result, once you are logged into Windows using your account this data is decipherable by Chrome.

为了执行加密(在Windows上)，Chrome使用Windows提供的API函数，该函数使加密的数据只能由用于加密密码的Windows用户帐户才能解密。因此，从本质上讲，您的主密码就是Windows帐户密码。因此，使用您的帐户登录Windows后，Chrome可以解密该数据。

However, because your Windows account password is a constant, access to the “master password” is not exclusive to Chrome as external utilities can get to this data – and decrypt it – as well. Using the freely available utility ChromePass by NirSoft, you can see all your saved password data and easily export it to a plain text file.

但是，由于您的Windows帐户密码是常数，因此访问“主密码”并不是Chrome独有的，因为外部实用程序也可以获取此数据(也可以对其解密)。使用NirSoft免费提供的实用程序ChromePass，您可以查看所有已保存的密码数据，并将其轻松导出为纯文本文件。

So it makes sense that if the ChromePass utility can access this data, malware running as the respective user could access it as well. When the ChromePass.exe is uploaded to VirusTotal, just over half of the anti-virus engines flag it as dangerous. While in this case the utility is safe, it is a bit reassuring to see that this behavior is at the very least flagged by many of AV packages (although Microsoft Security Essentials is not one of the AV engines which reported it as dangerous).

因此，有意义的是，如果ChromePass实用程序可以访问此数据，则以相应用户身份运行的恶意软件也可以访问它。将ChromePass.exe上传到VirusTotal时，刚刚超过一半的防病毒引擎将其标记为危险。尽管在这种情况下该实用程序是安全的，但可以肯定地说，许多AV软件包都至少标记了此行为(尽管Microsoft Security Essentials并不是将其报告为危险的AV引擎之一)。

可以绕开保护措施吗？ (Can the Protection Be Circumvented?)

Suppose your computer is stolen and the thief resets your Windows password in order to natively login to your installation. If they were to subsequently try to view the passwords in Chrome or use the ChromePass utility, the password data would not be available. The reason is simple as the “master password” (which was your Windows account password prior to them forcefully resetting it outside of Windows) does not match so the decryption fails.

假设您的计算机被盗，小偷重置了Windows密码，以本地登录到您的安装。如果他们随后尝试在Chrome中查看密码或使用ChromePass实用程序，则密码数据将不可用。原因很简单，因为“主密码”(这是您在Windows外部强行重置之前的Windows帐户密码)不匹配，因此解密失败。

Additionally, if someone were to simply copy the Chrome password SQLite database file and try to access it on another computer, ChromePass would display empty passwords for the same reason explained above.

此外，如果有人只是复制Chrome密码SQLite数据库文件并尝试在另一台计算机上访问该文件，出于上述相同的原因，ChromePass将显示空密码。

结论 (Conclusion)

At the end of the day, the security of the Chrome saved passwords depends totally on the user:

归根结底，Chrome保存的密码的安全性完全取决于用户：

Use a very strong Windows account password. Keep in mind, there are utilities which can decipher Windows passwords. If someone gets your Windows account password then they have access to your saved browser passwords.

使用非常安全的Windows帐户密码。请记住，有些实用程序可以解密Windows密码。如果有人获得了您的Windows帐户密码，则他们可以访问您保存的浏览器密码。
Protect yourself from malware. If utilities are able to easily access your saved passwords, why can’t malware?
保护自己免受恶意软件的侵害。如果实用程序能够轻松访问您保存的密码，那么为什么不能使用恶意软件？
Save your passwords in a password management system such as KeePass. Of course, you loose the convenience of having the browser auto-fill your passwords.
将密码保存在诸如KeePass的密码管理系统中。当然，您失去了让浏览器自动填写密码的便利。
Use a 3rd party utility which integrates with Chrome and uses a master password to manage your passwords.
使用与Chrome集成并使用主密码来管理您的密码的第三方实用程序。
Encrypt your entire hard drive using TrueCrypt. This is completely optional and for the ultra protective, but if someone can’t decrypt your drive they surely can’t get anything off of it.
使用TrueCrypt加密整个硬盘。这是完全可选的，并且具有极高的保护性，但是，如果某人无法解密您的驱动器，那么他们肯定不会从中得到任何好处。

The bottom line is simply to keep your system secure and your Chrome passwords should be reasonably secure as well.

底线仅仅是为了确保您的系统安全，您的Chrome密码也应同样安全。

Download ChromePass from NirSoft

从NirSoft下载ChromePass

Download SQLite Browser from Sourceforge

从Sourceforge下载SQLite浏览器

翻译自: https://www.howtogeek.com/70146/how-secure-are-your-saved-chrome-browser-passwords/