Using Google Chrome to manage your passwords is a bad idea. Here’s why.


What do privacy experts say about using Google Chrome and other browsers for password management? Neil J. Rubenking(Opens in a new tab) from Mashable’s sibling site PCMag has the answers.

Password management programs(Opens in a new tab) have been around since the ’90s, and the major browsers(Opens in a new tab) added password management as a built-in feature in the early 2000s. Ever since then, PCMag has advised getting your passwords out of insecure browser storage and into a proper, well-protected password manager. Back then, we could point to password managers that would extract passwords from your browser, delete them from the browser, and turn off further browser-based password capture. That sure doesn’t sound safe!


The best password managers for all your online accounts

Thankfully, browsers have made progress and no longer leave your passwords quite so open to external manipulation. If you want to switch to a dedicated password manager(Opens in a new tab), for instance, you’ll probably have to actively export passwords from the browser and import them into your new product.

But have browsers made enough progress than we can recommend storing your passwords in them? Specifically, should you use Google Password Manager, which is conveniently built right into Chrome? According to experts, the answer remains a resounding no.

Even Dedicated Password Managers Can Leak

For a company that’s built on password management, trust is everything. Serious contenders use zero-knowledge techniques to protect your encrypted data so that no one—not the password company, not the government, nobody—can know your master password(Opens in a new tab) or decrypt your data.

Even so, errors in implementation can risk password security. In a series of revelations starting last August, we learned that hackers compromised a key LastPass employee’s computer(Opens in a new tab) to steal an unknown number of encrypted data vaults. Worse, some important data elements such as login domains weren’t encrypted. It’s hard to trust LastPass(Opens in a new tab) now.

KeePass(Opens in a new tab) is the techie’s favorite password manager, in no small part due to its endless possibilities for customization. However, that same customization power has been revealed as a kind of Achilles’ heel. Anyone who gains access to your computer, either by using a Remote Access Trojan(Opens in a new tab) or by sitting down in your absence, can steal all your Keepass passwords(Opens in a new tab). It’s a simple matter of using Notepad to create an action that exports the passwords to plain text and then sends the resulting data to a drop on the internet. Admittedly, gaining the required access could be tough, but the exploit is possible(Opens in a new window)(Opens in a new tab). Or rather, was possible. The latest KeePass update, 2.53.1, removed the option to export passwords without requiring entry of the master password.

How to Enable or Disable Google Password Manager

Before getting into whether you should use Google Password Manager, let’s review how you can shut it down (or fire it up, if that’s your choice). First, make sure you’ve enabled Sync in all the Chrome instances where you want to share passwords. Click the three-dot menu at top right of the Chrome window, then click Settings. The top item in the left-rail menu, titled You and Google, should be selected initially; if not, click it. In the resulting dialog, you can turn syncing on or off.

How to change password settings on Google Password Manager

Credit: Google

Now click Autofill, just below You and Google, and click Password manager. If you want to use Google Password Manager, turn on the items Offer to Save Passwords and Auto Sign-in. If not, turn them off.

For more, you can read How to Master Google Password Manager(Opens in a new tab). No, we don’t recommend it from a security point of view; but, yes, we know some people are going to sacrifice safety for convenience.

What the Experts Say About Browser Password Managers

To supplement my own knowledge and experience, I called on experts from several well-known commercial password manager companies, including Craig Lurey, co-founder and CTO of Keeper(Opens in a new tab); NordPass(Opens in a new tab) CTO Tomas Smalakys; and Michael Crandell, CEO at Bitwarden(Opens in a new tab).

Browser Password Managers Are Convenient But Dangerous

Smalakys led with a warning against using a browser’s password manager, saying, “Despite cybersecurity experts’ continuous warnings about the vulnerabilities of browser password managers, internet users continue to fall into the ‘But it’s convenient!’ trap.” Lurey agreed, pointing out that a recent Keeper blog post(Opens in a new window)(Opens in a new tab) ran down a long list of why browser password managers aren’t safe.

Zero-knowledge encryption is the reason dedicated password managers can keep your data safe without ever having access to your master password. “Google’s password manager doesn’t use zero-knowledge encryption,” stated Lurey. “In essence, Google can see everything you save. They have an ‘optional’ feature to enable on-device encryption of passwords, but even when enabled, the key to decrypt the information is stored on the device.”

Smalakys concurred that data stored in the browser isn’t protected the way a password manager’s data is. “Hackers use social engineering methods to trick internet users into downloading new extensions that can easily extract data stored on a browser,” he noted. He went on to say, “While there is nothing wrong with cloud storage of passwords, a company must ensure that users’ data is encrypted before it’s stored in the cloud. Therefore, internet users should choose a service provider that guarantees end-to-end encryption.”

Crandell tossed Google a bone, saying, “Any password manager is better than no password manager,” but went on to warn, “The limitation of browser-based password managers is that they work only within a walled garden. If you ever need to operate in another browser, or some environment where that browser doesn’t reach, you’re out of luck.”

Password Managers Have More Features

Lurey offered a laundry list of simple ways in which Chrome’s built-in password manager doesn’t meet the standards of dedicated password management programs. For starters, it’s Chrome-specific; if you use another browser, you’re up the creek. There’s no option for secure sharing of passwords, nor for establishing a digital heir(Opens in a new tab) for your password collection. The browser stores only passwords, not personal details such as addresses, account numbers, and credit cards.

Crandell also highlighted the lack of important features in browser-based password systems. He noted that such systems lack “secure sharing of passwords with colleagues and family, support for biometric login and security keys, reports on whether your passwords are weak, reused, or have been breached, integration with systems at work like SSO, and many other features.” 

Smalakys said, “Many browsers do not require a master password or a multi-factor authentication (MFA)(Opens in a new tab) approval.” Google does permit MFA, but doesn’t require it. And, indeed, there’s no master password. If you leave your desk with Chrome active, anyone who has access can log into your accounts. The same is true if you let someone else use your phone.

Browsers Lock You In

“Be careful about locking yourself into any single big company’s walled garden,” warned Crandell. “It’s important to have freedom to work across all platforms and environments, whether browsers, mobile, or desktop operating systems.”

Smalakys pointed out the danger of connected accounts. “In a scenario…using a Chrome browser, its safety depends on how secure the connected Gmail account is,” he said. “If this Gmail account gets compromised, a hacker could, without much effort, access all the other accounts’ passwords saved on the browser.” In a similar vein, Lurey noted that, “The user must place full trust in Google to protect their information.” If your Google account is breached, so are all your passwords.

A browser is designed for browsing; password management is an afterthought. “Dedicated password managers are putting all their effort into developing a password manager that is secure, and go through independent audits, in order to ensure that security,” concluded Smalakys. Crandell offered a similar sentiment, saying, “Leading password managers focus 100% on enabling both optimum safety and the many use cases for passwords, so are more feature rich.”

Bottom Line, Get a Real Password Manager

Google Password Manager doesn’t use the zero-knowledge encryption techniques that protect password data from everyone, including the password manager company. It doesn’t even use a master password. Dedicated password tools offer many features that you don’t get with a browser built-in. And you can only use Google’s password system in Chrome (or, to an extent, Android). These are just a few of the reasons that you should get a real password manager instead of relying on Chrome.

It’s awfully convenient that Google Password Manager comes as a free feature of a free browser. That’s not a good enough reason to accept limited security for your passwords, though. We’ve evaluated plenty of free password managers(Opens in a new tab) that offer serious protection for your passwords at that same zero-dollar price—use one of them instead.

#Google #Chrome #manage #passwords #bad #idea #Heres


Related Posts

Marvel’s Blade Movie Delayed by Writer’s Strike

[ad_1] Marvel’s vampire hunter Blade is a fierce warrior but he may have finally met his match: labor unions. The upcoming, long-in-development reboot of the Marvel franchise…

How to Watch the Coronation of King Charles III Live

[ad_1] King Charles III officially shed his princedom when Queen Elizabeth II died, and the British royal’s new position will be formalized on May 6 in a coronation…

‘Quordle’ today: See each ‘Quordle’ answer and hints for May 6

[ad_1] If Quordle is a little too challenging today, you’ve come to the right place for hints. There aren’t just hints here, but the whole Quordle solution….

How to use a passkey instead of a password to sign into your Google account

[ad_1] Passwords have always been a necessary evil, giving you the choice of either using one that is too simple (so you can easily remember it) or…

Amazon quietly acquired audio content discovery engine Snackable AI to boost its podcast projects

[ad_1] Amazon quietly acquired New York-based audio content discovery engine Snackable AI last December to boost its podcast features, as first reported by New York Post. The…

Warhammer 40K’s New Tyranid Screamer-Killer Is a Great Update

[ad_1] A new edition of Warhammer 40K means new models—and for some of the 40-year-old wargaming franchise’s creatures and characters, that means updates they’ve not had in…

Leave a Reply

Your email address will not be published. Required fields are marked *