Chrome Smart-Lock how weak is it?
Chrome offers the ability to auto-fill passwords without you as a user having to enter any kind of authentication other than being logged onto the machine. This means it has to have all of the information required to access the stored passwords while running in that context.
This means that any other applications running in that context (under your user account) can also access that information.
The only thing Chrome can do is use Operating System level protection to stop other users reading your data. Under windows it uses the CryptProtectData function. This encrypts the data with your windows user credentials - including your password. If you forget your password then the data is unreadable - even if an administrator resets it (although with chrome passwords they are backed up online and would be recovered next time you logged into it with your google credentials).
What do I misunderstand about security?
Any software running on your system under your own user or an administrator should be assumed to have access to everything that you do. If it couldn't read the password out of the password store there are numerous other ways to get it. From the clumsy (start chrome, point it to chrome://settings/passwords and read them out of the UI) to pulling either the passwords or the Google API key out of chromes memory while it is running or injecting a fake root certificate and man in the middle-ing a connection to the website where the password is sent.
There are some things you need to consider:
- A password manager is a convenience tool, not a security tool. If you want to have a secure password manager, it will have to keep everything encrypted, which actually cannot be proved in this case.
- Using a password manager will always be more insecure compared to not using one unless you manually control its security aspects, which does not happen. You do not know where the data is stored, in what format and what is the process involved in accessing it.
- Smart-Lock does not prove it's security at any point.
- The cryptography and implementation details should at least be documented somewhere, but they’re not which makes me highly doubt Chrome's official statements like 'Your passwords are always encrypted'. They don't say 'where' that actually happens: when storing them, when they sync, when cache is used, when general communications happen, etc.
- One conclusion of DEFCON 2016 states: 'Consumers are not able to evaluate security claims made by companies. We need more researchers investigating security claims made by companies on behalf of consumers.'
- Everything is cached at a point. Your browser will use a lot of trans-cache any above average specific application will be able to read from that.