Google Chrome’s password security sucks!

David Gate Avatar
Google Chrome password security
Google Chrome password security
Image Source: http://managemypractice.com

I use Google Chrome for practically all my web browsing, and a few days ago I made a startling discovery after reading this article: Google Chrome’s password security really sucks! Seriously, it’s like  taking your password and placing it as a screensaver where anybody who has access to your computer can see it if they only looked.

If you’ve used Google Chrome before, you may have noticed that it is pretty eager to store your passwords for you, offering to do so whenever you enter user data into any form as the screenshot below shows.

chrome save password prompt

However, if you go to Google Chrome’s settings, there’s an option to “Manage saved password” which will take you to the following screen.

chrome manage password

The really interesting thing here is that if you click the “Show” button in the password field, it will show your password, without any further security promptings.

chrome show password

In effect, Google Chrome eagerly offers to store your passwords for you, on the premise that it offers you the convenience of not having to retype your user details every time. However, in doing so, it strips out any other layers of security that you may have on your accounts, delegating the security solely to your computer. That is really not a comforting fact considering that it is really easy for someone to gain access to your computer.

Of course, we can start arguing about how your computer should always be protected with a strong password and how you should ensure that it doesn’t get into the wrong hands. If we’re to be really honest though, how many of us can claim to be the sole users of our computers; or that we have really strong passwords; or that we vigilantly monitor the activities of everybody who uses our computers. I doubt it’s a lot of us and I have many friends who do not even have their computers password protected.

So imagine this scenario: a colleague or friend asks to look at a file on your computer and you oblige because it’s not a big deal. Somehow they proceed to go to Google Chrome’s password management page and click “Show” on the passwords fields. Bam! They have just obtained usernames and passwords to your online accounts and who knows what they may do with them. Many people are thus unwittingly trading off the security of their data for the convenience of not routinely entering their passwords every time.

If you’re really concerned about privacy and the protection of your personal information, I suggest you don’t let Google Chrome handle your passwords. And if you really want the convenience that Google Chrome offers with regards to remembering your passwords, there are several options available such as using password managers (e.g. Keepass and Lastpass) or encrypting your Google Chrome data.

 

11 comments

  1. tinm@n

    Just make it not save passwords. It is true that once someone has access at that level,you’re pretty much compromised.

    I use Firefox for browsing and most of my dev work. Even if it has a master password option,I never ever rely on it to remember my most critical passwords.

    Why not get a password manager?

  2. fourwallsinaroom

    wow! that is a scary mess. This is why I have the majority of my web apps running with two step authentication. Much safer in my opinion. still there is nothing that is 100% secure even if one was to use key files, two step and a password. Someone with enough resources will be able to crack your password. I guess ultimately the measures you take to secure your data are a function of how much and how important it is to hide your data

    1. Garikai

      Right to the point. Think of the NSA, if they want to read your mail they will but the average hacker will most likely be thwarted by two factor authentication.

  3. lolo babe

    even mozilla stores your passwords and you can show them, basically people sholuld never allow password storage on desktop browsers,

  4. Farai Sairai

    David, I would suggest that you create another chrome profile for every other user. I never allow anyone to browse using my chrome profile as all my dirty secrets will be revealed. That auto complete and auto search function is scary if used by someone else….. :P.

    LastPass is definitely the way to go

  5. Tapiwa ✔

    Here’s your problem:

    So imagine this scenario: a colleague or friend asks to look at a file on your computer and you oblige because it’s not a big deal

    If they can see your password, it is a big deal. My suggestion: either don’t lend your computer to questionable characters, or better yet, get new, non-dodgy friends! If your shady associates want to get the dirt on you, a browser (any one of them – not just Chrome) is not going to get in the way.

  6. Sticky Password

    Another option is Sticky Password, try it out 🙂 http://www.stickypassword.com

  7. anthonysomerset

    add dashlane and 1password to that list of password managers, dashlane is free in its basic form, and costs for syncing – password is a paid application that can sync with other machines via dropbox and it keeps passwords in sync between all your browsers too (for the web dev’s that use multiple browsers for testing)

  8. Tendai Marengereke

    This issue has been discussed over and over again. The bottom line is if u save passwords using any browser don’t share your laptop, with anyone. even your mother. Or better yet don’t save your password.

    A master password gives you a false sense of security, the scenario is still the same for all browsers.

    Once a hacker has your laptop and they want to see your password its easy.
    Or rather like @tinman said get a password manager.

    Take this example with firefox:

    1. Open firefox and navigate to a login page where your password is saved

    2. Right click on password box and click inspect element

    3 In the console at the bottom, change type=”password” to type=””

    >now check the password field.

  9. Walter Cruz

    Can you remember ALL of your passwords? Would you use PixelPin?
    WATCH Brian Taylor CEO & Founder of PixelPin to help you decide!!
    http://www.youtube.com/watch?v=Jaue-94oa9o&feature=youtu.be&a

  10. beatnyama

    I believe the problem is not exactly Google Chrome’s problem but rather the need for a third party entity to remember your passwords for you. The moment you reach that stage then be prepared to trade off security.

    I use Lastpass and to make life easier I login once into Lasspass and it automatically fills in passwords for me and offering to save them if its new. However because i’m always logged in into Lastpass, anyone who has access to my laptop automatically has access to all my passwords in Lastpass via the Password Vault. Its all about sacrificing convenience for security. However, if you are really paranoid about security, it woul be best to use two factor authentication for your password manager like Lastpass’ Yubikey, which is a physical token generator which you can use to protect your password vault from unauthorized access

2023 © Techzim All rights reserved. Hosted By Cloud Unboxed