Why you shouldn’t store your passwords in Google’s Chrome browser

Username and passwordSoftware developer Elliott Kember is upset with Google Chrome.

Why? because of what he describes as its “insane password security strategy”.

You see, unlike rivals like Firefox, when you tell your Chrome browser to remember a password it doesn’t give you the option to protect the information with a strong master password.

In fact, Chrome doesn’t let you protect your passwords with a master password at all.

So, anyone who has access to your desktop (perhaps you have walked off to make a cup of tea) could simply visit the URL

chrome://settings/passwords

and find your passwords are just the click of a “Show” button away.

Chrome password screen

Of course, if you do leave your computer unattended you should always lock it to prevent this sort of problem. But human nature being what it is, it’s hard to see how Google can justify not putting an extra level of protection in place when other browsers have adopted similar techniques.

Kember stumbled across the problem after temporarily switching from Apple’s Safari browser to Chrome, and being surprised to find that he was unable to disable Chrome’s desire to import passwords stored in his usual browser of choice.

Import settings

It does seem very odd that Google Chrome greys-out the option to import passwords, meaning that the user has no choice about the information being shared with another application – particularly one that isn’t offering the most rudimentary level of protection.

Researchers have shown that asking any of the leading browsers to remember your passwords is not necessarily a safe idea, but Google Chrome’s handling of the situation seems particularly lax.

And Kember is in good company, judging by this tweet by internet legend Tim Berners-Lee:

My advice is not to tell any browser (and especially not Chrome) your password. Instead use password management software like LastPass, 1Password, and KeePass to remember your passwords securely, as well as help you generate complex, random passwords for the various accounts you have on the web.

Furthermore, get in the habit of always locking your computer when you step away from the keyboard.

And if you are going to let a friend or colleague borrow your computer for a few minutes, make sure to log into a “guest” account so they can’t access any of your personal files or settings.

Tags: , , ,


, , ,

12 Responses

  1. Aaron Hurt August 7, 2013 at 2:43 pm #

    This is a ridiculous disappointment… and I'm embarrassed that I didn't see it previously.

  2. spryte August 7, 2013 at 3:52 pm #

    This is something those testing the new beta versions of Opera (ver. 15 and above) have been complaining about since its release.
    And one reason many are staying with earlier versions.

  3. Darren Wall August 7, 2013 at 4:04 pm #

    I don't use the save password option so had never checked the setting. I had, of course, forgotten that the original install had copied passwords from other browsers. Will have to dig in to this more, does clearing from one instance of Chrome clear across any other machines (and mobile devices) that you run Chrome on?

  4. mat August 7, 2013 at 8:44 pm #

    This is nothing new. A lot of people including me shared our concerns with google on forums and sent as a feedback. but the google guys kept saying that they don't intend to change this or provide an admin password. what they suggest is that you shouldn't share your pc with others.. yes seriously!!!

  5. Alan Yoon August 7, 2013 at 10:49 pm #

    I don't understand how this is news. Google Chrome has always stored passwords plain text… since at least 2009. Suddenly people are outraged!

  6. Balutch August 8, 2013 at 12:34 am #

    It helped me to delete all saved passwords.

  7. Tor0astra August 8, 2013 at 8:50 am #

    Nobody in my circle uses a password manager. The attitude is -no need, -no help, -no hurry. I find that perplexing, and it seems I am alone.

  8. Derik August 8, 2013 at 2:52 pm #

    This "flaw" is not limited to Chrome, but Firefox does the same thing as well. Also, it is worth noting that the user must sign into Chrome and select for stored passwords to be synchronized for this to be exposed; if a user simply logs into Gmail, it does not work. There is a big difference here. You should never sign into Chrome on a non-trusted computer, or a shared computer/kiosk type machine.

    • sandokanfirst2 September 22, 2014 at 10:59 pm #

      Not (completely) true, as indicated in the article: Mozilla Firefox at least has the option to set a Master Key, which makes 'borrowing' passwords a lot more difficult.

  9. Alex August 9, 2013 at 9:53 am #

    So what is the threat model here?

    Is the adversary my husband? Or evil crackers?

    In the former case, yes, a master password might help, but I should really be using different Windows/OSX/Linux user profiles to have a real degree of separation/privacy for all my private data and applications. I see nobody complaining there is no master password for Microsoft Office. In fact, wait, that is my Windows password! But then I don't need a browser password. Win!

    In the latter case, usability of the browser mandates that the password database remains unlocked for 99.999% of the browser's uptime, making the "master password" moot. People are better off *not* storing any passwords in the browser to defend against evil crackers stealing their passwords.

    • Graham Cluley
      Graham Cluley August 9, 2013 at 10:03 am #

      Firstly, I agree that people shouldn't use browsers to remember their passwords.

      But, seeing as Chrome and other browsers are offering such a feature, they should at least put in place simple measures to prevent someone from *casually* accessing them.

      It's an all-too-common scenario for a friend or guest in your house to ask to temporarily use your computer to check their email, etc. And – if you don't have the foresight to have created a Guest account on your computer – you might just hand over your laptop without thinking.

      Additionally, you might have fellow workers in your desktop who you sometimes give permission to use your computer, or who might have access if you walk away without having locked your desktop.

      The requirement for a "master password" before viewing the passwords your browser remembers would prevent those kind of attacks.

      I'm not suggesting that a browser master password makes your computer safe from hackers. But it makes it much harder for the vast majority of people who might try to snoop upon your passwords from accessing them.

      But yes, don't use your browser to remember your passwords. Use tools like KeePass, 1Password and LastPass instead.

  10. Teksquisite July 7, 2014 at 5:11 pm #

    I made the same mistake (sites long forgotten since 2000 too) – multisites with the same "easy to remember" password. It was not until a hacktivist gained control of some gmail and hosting accounts that I realized my error. I was fortunate because I had great assist from Brian Krebs (his Google connections) to get my gmail accounts back. I also use LastPass – aprox. 180 online accounts. Ironically, the hacktivist left me a message in one hacked account and told me that I should never have used the same simple password on so many sites :)

Leave a Reply

XSLT by CarLake