If you mean an extra password, the answer is that most people don't want to type in a password when they open their browser. Think it through and try to see the issue.

I don't see your "issue", as using a master password does not "defeat the whole purpose of password saving" at all. Many people have different login credentials for different websites (not only passwords, also login name or email) which are hard to remember which one you used where. Having access to them with a single master password is convenience.

I like the way this is handled in Opera, where your passwords can never be accessed/viewed in plain text at any time. Once your login data are stored, you can simply use them via CTRL+ENTER on the login form and the data is pasted into it. If you want to you can use a master password to restrict access to that data. And you can even set a time after which the the browser will forget that password and then asks for it again after e.g. 15 minutes.

I sit down at your computer and Opera is open. I go to facebook.com, click on the password field, press ctrl+enter. I then use the dom editor to change the field to text. Will I see the password?

You will not, because that domain is blocked in every OSI layer possible in my local setup. ;)

But seriously: Yes, of course you would. They have to be pasted in clear text. There is no other way to do this.

But that's not the point. The point is that you do not get to use CTRL+ENTER in the first place! Unless, of course, you type in the master password, which Opera will forget after x minutes (zero if you want it to be forgotten instantly). So you have a windows of x minutes after I've used the password manager for the last time to do your "DOM hack".

You drew an analogy with having root and being able to edit the sudoers file, but note that in that case the attacker is not able to see any passwords, only change them. I think it provides a useful level of security if the browser would encrypt stored passwords with a master key, using an OS-provided keychain. As with Safari, it could then ask for the master password before showing any passwords, while remembering the same password for normal logins for convenience. This is under the assumption that revealing your password is worse than somebody being able to use your accounts.

Please explain the exact algorithm that the browser stores encrypted passwords and needs a master password before showing, but can "remember for convenience".

Or do you mean that it'll prompt people for a master password for uncommonly used sites? Because that's just going to lead to people forgetting the master password and having to do a password reset.

My suggestion would be to use the OS keychain facilities, so the master password would be the same as the one used to log in. The master password is only needed once to decrypt the passwords, but I'm suggesting that for the 'show passwords' functionality the browser should insist on asking the password again. The advantage is that on disk, passwords are not stored in plaintext, and the browser doesn't reveal passwords trivially. A determined attacker could still extract the encryption key from a memory dump, but that's on a completely different level from a "show passwords" button.

Chrome already uses the OS keychain facilities. People are complaining that this is insecure because unauthorized people can look at the saved passwords if the user leaves their computer logged in and unlocked. They want Chrome to adopt the Firefox approach of storing them directly on disk optionally encrypted with a master password.

Or the Safari approach, where even though it could show you the passwords directly, its policy is to ask for your password before doing so. Note that while Chrome uses the keychain, it actually circumvents the point of the keychain by decrypting all keys at startup, before they're needed.