By default the Chrome extension is set to NEVER lock the vault. This is, IMHO, a tremendously dangerous default setting for the average user. Many users may not realize that their vault is unlocked even after closing the browser...any passer-by could just open the browser and have everything.
Furthermore, this default setting means that the master password (or some valuable hash of it) must be persistently stored on the computer rather than just temporarily in memory. I realize this must be the case for the "never" setting, but as the DEFAULT?
I propose:
- change the default lock option to, say, 15 minutes. This would be way more sane and users could always change it consciously afterward.
- if you DO change the coded default, notify users when the extension is updated and ask if they want to change their current setting to the new default. This will alert anyone who was not aware of this already.
- always alert users to the additional security implications of selecting "Never" as the lock setting...some kind of popup message maybe?
By default the Chrome extension is set to NEVER lock the vault. This is, IMHO, a tremendously dangerous default setting for the average user. Many users may not realize that their vault is unlocked even after closing the browser...any passer-by could just open the browser and have everything.
Furthermore, this default setting means that the master password (or some valuable hash of it) must be persistently stored on the computer rather than just temporarily in memory. I realize this must be the case for the "never" setting, but as the DEFAULT?
I propose: