A penny saved is a penny earned.

In the world of user experience, a penny solution can be the difference between acquiring a user or sending her to a different product.

When you keep an eye only on dollar value solutions, users may balk and find their solution elsewhere.

Spin only goes so far.

This week’s lost opportunity in the world of user experience (UE) comes from a company that should understand the importance of UE, but often drops the ball when an opportunity arrises.

A “discovery” (not really new) by a Chrome user found that saved passwords in the Chrome browser were quite easy to get to by anyone with access to the computer. It went viral. Major media outlets picked up on it.

A serious flaw in the security of Google’s Chrome browser lets anyone with access to a user’s computer see all the passwords stored for email, social media and other sites, directly from the settings panel. No password is needed to view them.
 

Seeing the passwords is achieved simply by clicking on the Settings icon, choosing “Show advanced settings…” and then “Manage saved passwords” in the “Passwords and forms” section. A list of obscured passwords is then revealed for sites – but clicking beside them reveals the plain text of the password, which could be copied, or sent via a screenshot to an outside site.

Google Chrome security flaw offers unrestricted password access | theguardian.com

Then the spin began.

Google was quite aware of the issue. Google then indicated they had no plans to change things.

We’ve also been repeatedly asked why we don’t just support a master password or something similar, even if we don’t believe it works. We’ve debated it over and over again, but the conclusion we always come to is that we don’t want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that’s really what they get.

I’m the Chrome browser security tech lead, so it might help if I explain | Hacker News

The problem is that mainstream users are learning something they didn’t know before. If Google was indeed “wanting to be very clear” on this topic, they would have added a bit of highlighted text indicating that passwords would be accessible and visible. Of course, users may not always read additional text, but to use this as an excuse is plain ignorant of who is responsible for the user experience. Everyone in a company, everyone who touches any part of a service or product is responsible for UE. Adding a bit of warning would have made things pretty clear – if that was really the intention.

A bad excuse is more visible than the bad user experience it leads to. A good UE decision is also clear – it’s as clear as plaintext when products are humming along without bad PR.

Of course, Google does not want to chase users away either or highlight the fact that other browsers do use a master password or encrypted area requiring entry of a password at each instance.

There’s also the argument that at some point, the passwords would become easily insecure and that a master password scheme is not really a secure scheme.

I read a comment from one person who has been around this block say, “Security is measured in dollars … There are all sorts of stupid extra steps you can add to make things harder for computer-illiterate attackers to compromise your accounts.”

This is where the difference between leadership and straight technical knowledge comes in.

Leadership will understand that the big picture revolves around the user experience. Even when changes might be considered penny value solutions by those who are experts and gurus when it comes to online security, leadership understands that sometimes even a simple door latch, goes a long way in perception and making users comfortable.

Is this promoting a false sense of security. No. The mere fact that Google is obfuscating the password area until it’s clicked on, is promoting a false sense of security.

This is a big thing, because many users were actually caught unaware of how Chrome handles saved passwords.

When the user experience is on the line, it takes leadership to step up and say, let’s change this now and restore a bit of the user experience that we lost with the words : “We’ve debated it over and over again … “

User experience is not really a debate. In fact, the right decision is often pretty clear when looked from the eyes of the user.

It’s why the following is also true for most users:

A penny saved is a penny earned.

Even, Tim Berners-Lee, found Google’s response not very appropriate.

Skip to content