Why you shouldn't store your passwords in Google's Chrome browser

Username and passwordSoftware developer Elliott Kember is upset with Google Chrome.

Why? because of what he describes as its "insane password security strategy".

You see, unlike rivals like Firefox, when you tell your Chrome browser to remember a password it doesn't give you the option to protect the information with a strong master password.

In fact, Chrome doesn't let you protect your passwords with a master password at all.

So, anyone who has access to your desktop (perhaps you have walked off to make a cup of tea) could simply visit the URL

chrome://settings/passwords

and find your passwords are just the click of a "Show" button away.

Chrome password screen

Of course, if you do leave your computer unattended you should always lock it to prevent this sort of problem. But human nature being what it is, it's hard to see how Google can justify not putting an extra level of protection in place when other browsers have adopted similar techniques.

Kember stumbled across the problem after temporarily switching from Apple's Safari browser to Chrome, and being surprised to find that he was unable to disable Chrome's desire to import passwords stored in his usual browser of choice.

Import settings

It does seem very odd that Google Chrome greys-out the option to import passwords, meaning that the user has no choice about the information being shared with another application - particularly one that isn't offering the most rudimentary level of protection.

Researchers have shown that asking any of the leading browsers to remember your passwords is not necessarily a safe idea, but Google Chrome's handling of the situation seems particularly lax.

And Kember is in good company, judging by this tweet by internet legend Tim Berners-Lee:

My advice is not to tell any browser (and especially not Chrome) your password. Instead use password management software like LastPass, 1Password, and KeePass to remember your passwords securely, as well as help you generate complex, random passwords for the various accounts you have on the web.

Furthermore, get in the habit of always locking your computer when you step away from the keyboard.

And if you are going to let a friend or colleague borrow your computer for a few minutes, make sure to log into a "guest" account so they can't access any of your personal files or settings.

Tags: , , ,

Subscribe to the free GCHQ newsletter

, , ,

Special offers & deals


  • Password Boss Premium Version: Lifetime subscription

    Password Boss Premium Version: Lifetime subscription

    All you need to do is remember one master password, and Password Boss will do the rest - remembering all of your different online passwords securely. Security and peace of mind. 86% off normal price!
  • Fancy becoming an ethical hacker?

    Fancy becoming an ethical hacker?

    Save 98% off the regular price and take advantage of IT Security & Ethical Hacking Certification Training for just $29. This course lays out a successful career path for you in the world of computer security.

More deals...

Leave a reply

13 Comments on "Why you shouldn't store your passwords in Google's Chrome browser"

Notify of
avatar

Sort by:   newest | oldest | most voted
Aaron Hurt
Visitor
August 7, 2013 2:43 pm

This is a ridiculous disappointment… and I'm embarrassed that I didn't see it previously.

spryte
Visitor
spryte
August 7, 2013 3:52 pm

This is something those testing the new beta versions of Opera (ver. 15 and above) have been complaining about since its release.
And one reason many are staying with earlier versions.

Darren Wall
Visitor
August 7, 2013 4:04 pm

I don't use the save password option so had never checked the setting. I had, of course, forgotten that the original install had copied passwords from other browsers. Will have to dig in to this more, does clearing from one instance of Chrome clear across any other machines (and mobile devices) that you run Chrome on?

mat
Visitor
mat
August 7, 2013 8:44 pm

This is nothing new. A lot of people including me shared our concerns with google on forums and sent as a feedback. but the google guys kept saying that they don't intend to change this or provide an admin password. what they suggest is that you shouldn't share your pc with others.. yes seriously!!!

Alan Yoon
Visitor
August 7, 2013 10:49 pm

I don't understand how this is news. Google Chrome has always stored passwords plain text… since at least 2009. Suddenly people are outraged!

Balutch
Visitor
Balutch
August 8, 2013 12:34 am

It helped me to delete all saved passwords.

Tor0astra
Visitor
Tor0astra
August 8, 2013 8:50 am

Nobody in my circle uses a password manager. The attitude is -no need, -no help, -no hurry. I find that perplexing, and it seems I am alone.

Derik
Visitor
Derik
August 8, 2013 2:52 pm

This "flaw" is not limited to Chrome, but Firefox does the same thing as well. Also, it is worth noting that the user must sign into Chrome and select for stored passwords to be synchronized for this to be exposed; if a user simply logs into Gmail, it does not work. There is a big difference here. You should never sign into Chrome on a non-trusted computer, or a shared computer/kiosk type machine.

sandokanfirst2
Visitor
September 22, 2014 10:59 pm

Not (completely) true, as indicated in the article: Mozilla Firefox at least has the option to set a Master Key, which makes 'borrowing' passwords a lot more difficult.

Alex
Visitor
Alex
August 9, 2013 9:53 am

So what is the threat model here?

Is the adversary my husband? Or evil crackers?

In the former case, yes, a master password might help, but I should really be using different Windows/OSX/Linux user profiles to have a real degree of separation/privacy for all my private data and applications. I see nobody complaining there is no master password for Microsoft Office. In fact, wait, that is my Windows password! But then I don't need a browser password. Win!

In the latter case, usability of the browser mandates that the password database remains unlocked for 99.999% of the browser's uptime, making the "master password" moot. People are better off *not* storing any passwords in the browser to defend against evil crackers stealing their passwords.

Teksquisite
Visitor
Teksquisite
July 7, 2014 5:11 pm

I made the same mistake (sites long forgotten since 2000 too) – multisites with the same "easy to remember" password. It was not until a hacktivist gained control of some gmail and hosting accounts that I realized my error. I was fortunate because I had great assist from Brian Krebs (his Google connections) to get my gmail accounts back. I also use LastPass – aprox. 180 online accounts. Ironically, the hacktivist left me a message in one hacked account and told me that I should never have used the same simple password on so many sites :)

wpDiscuz