Why you shouldn't store your passwords in Google's Chrome browser

Username and passwordSoftware developer Elliott Kember is upset with Google Chrome.

Why? because of what he describes as its "insane password security strategy".

You see, unlike rivals like Firefox, when you tell your Chrome browser to remember a password it doesn't give you the option to protect the information with a strong master password.

In fact, Chrome doesn't let you protect your passwords with a master password at all.

So, anyone who has access to your desktop (perhaps you have walked off to make a cup of tea) could simply visit the URL


and find your passwords are just the click of a "Show" button away.

Chrome password screen

Of course, if you do leave your computer unattended you should always lock it to prevent this sort of problem. But human nature being what it is, it's hard to see how Google can justify not putting an extra level of protection in place when other browsers have adopted similar techniques.

Kember stumbled across the problem after temporarily switching from Apple's Safari browser to Chrome, and being surprised to find that he was unable to disable Chrome's desire to import passwords stored in his usual browser of choice.

Import settings

It does seem very odd that Google Chrome greys-out the option to import passwords, meaning that the user has no choice about the information being shared with another application - particularly one that isn't offering the most rudimentary level of protection.

Researchers have shown that asking any of the leading browsers to remember your passwords is not necessarily a safe idea, but Google Chrome's handling of the situation seems particularly lax.

And Kember is in good company, judging by this tweet by internet legend Tim Berners-Lee:

My advice is not to tell any browser (and especially not Chrome) your password. Instead use password management software like LastPass, 1Password, and KeePass to remember your passwords securely, as well as help you generate complex, random passwords for the various accounts you have on the web.

Furthermore, get in the habit of always locking your computer when you step away from the keyboard.

And if you are going to let a friend or colleague borrow your computer for a few minutes, make sure to log into a "guest" account so they can't access any of your personal files or settings.

Tags: , , ,

Subscribe to the free GCHQ newsletter

, , ,

Special offers & deals

  • Fancy becoming an ethical hacker?

    Fancy becoming an ethical hacker?

    Save 98% off the regular price and take advantage of IT Security & Ethical Hacking Certification Training for just $29.99. This course lays out a successful career path for you in the world of computer security.
  • Sticky Password Premium: Lifetime Subscription

    Sticky Password Premium: Lifetime Subscription

    Sticky Password protects your online identity by providing strong encrypted passwords for all your accounts, managed by a single master password known by you, and only you. Available for Mac, Windows, iOS, and Android. For a limited time, it's 80% off in our store.

More deals...

Leave a reply

13 Comments on "Why you shouldn't store your passwords in Google's Chrome browser"

Notify of

Sort by:   newest | oldest | most voted
Aaron Hurt
August 7, 2013 2:43 pm

This is a ridiculous disappointment… and I'm embarrassed that I didn't see it previously.

August 7, 2013 3:52 pm

This is something those testing the new beta versions of Opera (ver. 15 and above) have been complaining about since its release.
And one reason many are staying with earlier versions.

Darren Wall
August 7, 2013 4:04 pm

I don't use the save password option so had never checked the setting. I had, of course, forgotten that the original install had copied passwords from other browsers. Will have to dig in to this more, does clearing from one instance of Chrome clear across any other machines (and mobile devices) that you run Chrome on?

August 7, 2013 8:44 pm

This is nothing new. A lot of people including me shared our concerns with google on forums and sent as a feedback. but the google guys kept saying that they don't intend to change this or provide an admin password. what they suggest is that you shouldn't share your pc with others.. yes seriously!!!

Alan Yoon
August 7, 2013 10:49 pm

I don't understand how this is news. Google Chrome has always stored passwords plain text… since at least 2009. Suddenly people are outraged!

August 8, 2013 12:34 am

It helped me to delete all saved passwords.

August 8, 2013 8:50 am

Nobody in my circle uses a password manager. The attitude is -no need, -no help, -no hurry. I find that perplexing, and it seems I am alone.

August 8, 2013 2:52 pm

This "flaw" is not limited to Chrome, but Firefox does the same thing as well. Also, it is worth noting that the user must sign into Chrome and select for stored passwords to be synchronized for this to be exposed; if a user simply logs into Gmail, it does not work. There is a big difference here. You should never sign into Chrome on a non-trusted computer, or a shared computer/kiosk type machine.

September 22, 2014 10:59 pm

Not (completely) true, as indicated in the article: Mozilla Firefox at least has the option to set a Master Key, which makes 'borrowing' passwords a lot more difficult.

August 9, 2013 9:53 am

So what is the threat model here?

Is the adversary my husband? Or evil crackers?

In the former case, yes, a master password might help, but I should really be using different Windows/OSX/Linux user profiles to have a real degree of separation/privacy for all my private data and applications. I see nobody complaining there is no master password for Microsoft Office. In fact, wait, that is my Windows password! But then I don't need a browser password. Win!

In the latter case, usability of the browser mandates that the password database remains unlocked for 99.999% of the browser's uptime, making the "master password" moot. People are better off *not* storing any passwords in the browser to defend against evil crackers stealing their passwords.

July 7, 2014 5:11 pm

I made the same mistake (sites long forgotten since 2000 too) – multisites with the same "easy to remember" password. It was not until a hacktivist gained control of some gmail and hosting accounts that I realized my error. I was fortunate because I had great assist from Brian Krebs (his Google connections) to get my gmail accounts back. I also use LastPass – aprox. 180 online accounts. Ironically, the hacktivist left me a message in one hacked account and told me that I should never have used the same simple password on so many sites :)