In the last five years, users have reported the same bug to the Chrome team for 43 times. In reality, the issue users found is not a bug at all.

The bug that has got users panicking revolves around Chrome's Developer Tools, a pop-up panel with debugging tools added to Chrome to help web designers and developers.

The Chrome Developer Tools allow users to alter a page's content in real-time, alter CSS styles, investigate network requests, and many other more.

Over the years, several users have discovered that they could use Chrome's Developer Tools to unmask the password asterisks inside password fields, revealing the password in legible text. The procedure goes as follows:

Step 1: User enters a password inside a password field
Step 2: User opens Developer Tools and locates password field code
Step 3: User changes password field HTML code by altering the "type" attribute from "password" to "text"
Step 4: Chrome now displays the password field as readable text

Chrome bug reported 43 times

The last time users reported this bug was Christmas Day this year, four days ago. The bug is sometimes referred to by Google engineers as "Users can steal their own password."

While this looks to be quite grave, the issue is nowhere near as dangerous as some users might think. The fact that 43 users (most likely developers) reported this shows how little people know about how browsers handle passwords.

The astonishing number of times users reported this bug over and over again forced the Chrome team to explain why this happens, why the "bug" isn't a big deal, and how little it counts when it comes to Chrome's security threat model.

One of the most frequent reports we receive is password disclosure using the Inspect Element feature (see for an example). People reason that "If I can see the password, it must be a bug." However, this is just one of the physically-local attacks described in the previous section, and all of those points apply here as well.

The reason the password is masked is only to prevent disclosure via "shoulder-surfing" (i.e. the passive viewing of your screen by nearby persons), not because it is a secret unknown to the browser. The browser knows the password at many layers, including JavaScript, developer tools, process memory, and so on. When you are physically local to the computer, and only when you are physically local to the computer, there are, and always will be, tools for extracting the password from any of these places.

And Google is right. An attacker that has access to your computer in order to tinker a website's HTML code via Developer Tools to expose an auto-filled password is a moron. There are numerous ways he can get his hands on passwords that are both faster and more efficient.

Password asterisks were added to prevent nosey roommates trying to get a peek at your passwords while you were logging in. They're not an indicator of actual security nor do they hide the password from everything and everyone.

Users have bigger problems if an attacker is sitting in front of their computer. This is why using a password for your OS account is millions of times more important than this bug and will keep your passwords more secure than Google changing how Chrome's password field works.

Also, most of the time passwords get stolen from Chrome and other browsers via malware with password-dumping capabilities. So maybe don't open that PDF you got via email from a person you don't know.

If you're looking for a trove of advice on not getting hacked and being safe online, we recommend reading The Motherboard Guide to Not Getting Hacked. Lots of good and sensible advice!

Related Articles:

Chrome 71 Released With Abusive Ad Filtering and Audio Blocking

Chrome and Firefox Developers Aim to Remove Support for FTP

Google is Adding Force-Installed Extension Removal to the Chrome Cleanup Tool

Speech Synthesis API Being Restricted in Chrome 71 Due to Abuse

Internal Chrome Page Shows All Google Interstitial Warnings