Software developer Elliott Kember is upset with Google Chrome.
Why? because of what he describes as its “insane password security strategy”.
You see, unlike rivals like Firefox, when you tell your Chrome browser to remember a password it doesn’t give you the option to protect the information with a strong master password.
In fact, Chrome doesn’t let you protect your passwords with a master password at all.
So, anyone who has access to your desktop (perhaps you have walked off to make a cup of tea) could simply visit the URL
and find your passwords are just the click of a “Show” button away.
Of course, if you do leave your computer unattended you should always lock it to prevent this sort of problem. But human nature being what it is, it’s hard to see how Google can justify not putting an extra level of protection in place when other browsers have adopted similar techniques.
Kember stumbled across the problem after temporarily switching from Apple’s Safari browser to Chrome, and being surprised to find that he was unable to disable Chrome’s desire to import passwords stored in his usual browser of choice.
It does seem very odd that Google Chrome greys-out the option to import passwords, meaning that the user has no choice about the information being shared with another application – particularly one that isn’t offering the most rudimentary level of protection.
Researchers have shown that asking any of the leading browsers to remember your passwords is not necessarily a safe idea, but Google Chrome’s handling of the situation seems particularly lax.
And Kember is in good company, judging by this tweet by internet legend Tim Berners-Lee:
How to get all you big sister's passwords http://t.co/CpytKWH9aT and a disappointing reply from Chrome team.
— Tim Berners-Lee (@timberners_lee) August 6, 2013
My advice is not to tell any browser (and especially not Chrome) your password. Instead use password management software like Bitwarden, 1Password, and KeePass to remember your passwords securely, as well as help you generate complex, random passwords for the various accounts you have on the web.
Furthermore, get in the habit of always locking your computer when you step away from the keyboard.
And if you are going to let a friend or colleague borrow your computer for a few minutes, make sure to log into a “guest” account so they can’t access any of your personal files or settings.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
14 comments on “Why you shouldn’t store your passwords in Google’s Chrome browser”
This is a ridiculous disappointment… and I'm embarrassed that I didn't see it previously.
This is something those testing the new beta versions of Opera (ver. 15 and above) have been complaining about since its release.
And one reason many are staying with earlier versions.
I don't use the save password option so had never checked the setting. I had, of course, forgotten that the original install had copied passwords from other browsers. Will have to dig in to this more, does clearing from one instance of Chrome clear across any other machines (and mobile devices) that you run Chrome on?
This is nothing new. A lot of people including me shared our concerns with google on forums and sent as a feedback. but the google guys kept saying that they don't intend to change this or provide an admin password. what they suggest is that you shouldn't share your pc with others.. yes seriously!!!
I don't understand how this is news. Google Chrome has always stored passwords plain text… since at least 2009. Suddenly people are outraged!
It helped me to delete all saved passwords.
Nobody in my circle uses a password manager. The attitude is -no need, -no help, -no hurry. I find that perplexing, and it seems I am alone.
This "flaw" is not limited to Chrome, but Firefox does the same thing as well. Also, it is worth noting that the user must sign into Chrome and select for stored passwords to be synchronized for this to be exposed; if a user simply logs into Gmail, it does not work. There is a big difference here. You should never sign into Chrome on a non-trusted computer, or a shared computer/kiosk type machine.
Not (completely) true, as indicated in the article: Mozilla Firefox at least has the option to set a Master Key, which makes 'borrowing' passwords a lot more difficult.
So what is the threat model here?
Is the adversary my husband? Or evil crackers?
In the former case, yes, a master password might help, but I should really be using different Windows/OSX/Linux user profiles to have a real degree of separation/privacy for all my private data and applications. I see nobody complaining there is no master password for Microsoft Office. In fact, wait, that is my Windows password! But then I don't need a browser password. Win!
In the latter case, usability of the browser mandates that the password database remains unlocked for 99.999% of the browser's uptime, making the "master password" moot. People are better off *not* storing any passwords in the browser to defend against evil crackers stealing their passwords.
Firstly, I agree that people shouldn't use browsers to remember their passwords.
But, seeing as Chrome and other browsers are offering such a feature, they should at least put in place simple measures to prevent someone from *casually* accessing them.
It's an all-too-common scenario for a friend or guest in your house to ask to temporarily use your computer to check their email, etc. And – if you don't have the foresight to have created a Guest account on your computer – you might just hand over your laptop without thinking.
Additionally, you might have fellow workers in your desktop who you sometimes give permission to use your computer, or who might have access if you walk away without having locked your desktop.
The requirement for a "master password" before viewing the passwords your browser remembers would prevent those kind of attacks.
I'm not suggesting that a browser master password makes your computer safe from hackers. But it makes it much harder for the vast majority of people who might try to snoop upon your passwords from accessing them.
But yes, don't use your browser to remember your passwords. Use tools like KeePass, 1Password and LastPass instead.
I'd be interested to know whether you feel that Google's password management features have moved on since this post. Well, I believe they've moved on, but are they significantly improved?
I recently had my password reset by Amazon who advised me that they believed that my email and password had been posted online. From a different source but I do, to my shame, not unlike MZ, reuse passwords! Consequently, I now feel the need to trawl through all my accounts and change the passwords.
So, I'm on the cusp of going full steam ahead with either Dashlane or Chrome, even letting them (whichever one I decide on) generate unique, strong passwords for me. As I pretty much live within the Google/Chrome ecosystem, I'm tempted to use Google. My Google account has a very strong password and 2-factor authentication.
Any advice gratefully received..
I made the same mistake (sites long forgotten since 2000 too) – multisites with the same "easy to remember" password. It was not until a hacktivist gained control of some gmail and hosting accounts that I realized my error. I was fortunate because I had great assist from Brian Krebs (his Google connections) to get my gmail accounts back. I also use LastPass – aprox. 180 online accounts. Ironically, the hacktivist left me a message in one hacked account and told me that I should never have used the same simple password on so many sites :)
Headline should read – "You shouldn't store passwords in the web, cache or cloud services period."
Might as well hand out your credit card too!