Google's Chrome team recently came under fire for its long-held practice of making saved passwords visible in plain text. If you hand your computer to a friend or leave it unguarded and unlocked, the friend or a passerby could go into Chrome's settings and view any website passwords you've saved without typing in your system password.
Chrome still makes passwords viewable in plain text by default, but the latest build of Chromium for Mac—the open source browser from which Chrome draws its code—gives users a new way to protect their passwords. If you type chrome://flags into the address bar, you'll find this.
If you enable password manager reauthentication and then restart the browser, the next time you view your list of passwords you'll be prompted to enter the system password before being allowed to view them in plain text:
We described Chrome's method of displaying passwords in June in a feature on password management, noting that Firefox allows users to create master passwords to protect their login data from snoopers, while Internet Explorer simply doesn't provide snoopers an easily accessible list of passwords. Safari protects passwords with the OS X password.
Chrome has been doing things this way for years, but a controversy flared up in August after some reporters noticed the browser's method of displaying passwords and wrote about it. Google Chrome security engineer Justin Schuh defended the practice on Hacker News, saying, "The simple fact is that you need to lock your user account if you want to protect your information. If you don't do that, nothing else really matters because it's all just theater and won't actually stop anyone willing to invest minimal effort."
The new option to protect passwords in Chromium was contributed to the browser project two weeks ago by Google employee and Chrome developer Patrick Dubroy. The feature gained some wider attention after being described this morning on Google+ by Google employee François Beaufort. It seems to only be available on the Mac version of Chromium for now, but this may be the first step toward adding the protection to the main builds of Chrome. We've contacted Google to see if it will disclose any plans for adding the feature to Chrome, but we haven't heard back yet.