Turns out Chrome doesn’t prompt users for verification when it displays stored passwords. Just pop chrome://settings/passwords into the url field, click “show” after selecting a password, and all is revealed.
This means anyone with control of your user account can view passwords you store in Chrome, unhindered. That includes something as mundane as handing your laptop to a friend so they can check out a web page, or walking away from an unlocked office machine for a few minutes.
The word “shocking” gets tossed around a lot when big security loopholes like this are discovered in consumer software. So much that it sounds a bit trite. But this one is, well, shocking. And a shrugging response of, “If a bad guy gains direct access to your user account, it’s game over anyway,” just doesn’t seem appropriate.
In the meantime, if you’re letting Chrome store your passwords, don’t.