What do privacy experts say about using Google Chrome and other browsers for password management? Neil J. Rubenking(Opens in a new tab) from Mashable’s sibling site PCMag has the answers.
Password management programs(Opens in a new tab) have been around since the ’90s, and the major browsers(Opens in a new tab) added password management as a built-in feature in the early 2000s. Ever since then, PCMag has advised getting your passwords out of insecure browser storage and into a proper, well-protected password manager. Back then, we could point to password managers that would extract passwords from your browser, delete them from the browser, and turn off further browser-based password capture. That sure doesn’t sound safe!
Thankfully, browsers have made progress and no longer leave your passwords quite so open to external manipulation. If you want to switch to a dedicated password manager(Opens in a new tab), for instance, you’ll probably have to actively export passwords from the browser and import them into your new product.
But have browsers made enough progress than we can recommend storing your passwords in them? Specifically, should you use Google Password Manager, which is conveniently built right into Chrome? According to experts, the answer remains a resounding no.
Even Dedicated Password Managers Can Leak
For a company that’s built on password management, trust is everything. Serious contenders use zero-knowledge techniques to protect your encrypted data so that no one—not the password company, not the government, nobody—can know your master password(Opens in a new tab) or decrypt your data.
Even so, errors in implementation can risk password security. In a series of revelations starting last August, we learned that hackers compromised a key LastPass employee’s computer(Opens in a new tab) to steal an unknown number of encrypted data vaults. Worse, some important data elements such as login domains weren’t encrypted. It’s hard to trust LastPass(Opens in a new tab) now.
KeePass(Opens in a new tab) is the techie’s favorite password manager, in no small part due to its endless possibilities for customization. However, that same customization power has been revealed as a kind of Achilles’ heel. Anyone who gains access to your computer, either by using a Remote Access Trojan(Opens in a new tab) or by sitting down in your absence, can steal all your Keepass passwords(Opens in a new tab). It’s a simple matter of using Notepad to create an action that exports the passwords to plain text and then sends the resulting data to a drop on the internet. Admittedly, gaining the required access could be tough, but the exploit is possible(Opens in a new window)(Opens in a new tab). Or rather, was possible. The latest KeePass update, 2.53.1, removed the option to export passwords without requiring entry of the master password.
How to Enable or Disable Google Password Manager
Before getting into whether you should use Google Password Manager, let’s review how you can shut it down (or fire it up, if that’s your choice). First, make sure you’ve enabled Sync in all the Chrome instances where you want to share passwords. Click the three-dot menu at top right of the Chrome window, then click Settings. The top item in the left-rail menu, titled You and Google, should be selected initially; if not, click it. In the resulting dialog, you can turn syncing on or off.
Now click Autofill, just below You and Google, and click Password manager. If you want to use Google Password Manager, turn on the items Offer to Save Passwords and Auto Sign-in. If not, turn them off.
For more, you can read How to Master Google Password Manager(Opens in a new tab). No, we don’t recommend it from a security point of view; but, yes, we know some people are going to sacrifice safety for convenience.
What the Experts Say About Browser Password Managers
To supplement my own knowledge and experience, I called on experts from several well-known commercial password manager companies, including Craig Lurey, co-founder and CTO of Keeper(Opens in a new tab); NordPass(Opens in a new tab) CTO Tomas Smalakys; and Michael Crandell, CEO at Bitwarden(Opens in a new tab).
Browser Password Managers Are Convenient But Dangerous
Smalakys led with a warning against using a browser’s password manager, saying, “Despite cybersecurity experts’ continuous warnings about the vulnerabilities of browser password managers, internet users continue to fall into the ‘But it’s convenient!’ trap.” Lurey agreed, pointing out that a recent Keeper blog post(Opens in a new window)(Opens in a new tab) ran down a long list of why browser password managers aren’t safe.
Zero-knowledge encryption is the reason dedicated password managers can keep your data safe without ever having access to your master password. “Google’s password manager doesn’t use zero-knowledge encryption,” stated Lurey. “In essence, Google can see everything you save. They have an ‘optional’ feature to enable on-device encryption of passwords, but even when enabled, the key to decrypt the information is stored on the device.”
Smalakys concurred that data stored in the browser isn’t protected the way a password manager’s data is. “Hackers use social engineering methods to trick internet users into downloading new extensions that can easily extract data stored on a browser,” he noted. He went on to say, “While there is nothing wrong with cloud storage of passwords, a company must ensure that users’ data is encrypted before it’s stored in the cloud. Therefore, internet users should choose a service provider that guarantees end-to-end encryption.”
Crandell tossed Google a bone, saying, “Any password manager is better than no password manager,” but went on to warn, “The limitation of browser-based password managers is that they work only within a walled garden. If you ever need to operate in another browser, or some environment where that browser doesn’t reach, you’re out of luck.”
Password Managers Have More Features
Lurey offered a laundry list of simple ways in which Chrome’s built-in password manager doesn’t meet the standards of dedicated password management programs. For starters, it’s Chrome-specific; if you use another browser, you’re up the creek. There’s no option for secure sharing of passwords, nor for establishing a digital heir(Opens in a new tab) for your password collection. The browser stores only passwords, not personal details such as addresses, account numbers, and credit cards.
Crandell also highlighted the lack of important features in browser-based password systems. He noted that such systems lack “secure sharing of passwords with colleagues and family, support for biometric login and security keys, reports on whether your passwords are weak, reused, or have been breached, integration with systems at work like SSO, and many other features.”
Smalakys said, “Many browsers do not require a master password or a multi-factor authentication (MFA)(Opens in a new tab) approval.” Google does permit MFA, but doesn’t require it. And, indeed, there’s no master password. If you leave your desk with Chrome active, anyone who has access can log into your accounts. The same is true if you let someone else use your phone.
Browsers Lock You In
“Be careful about locking yourself into any single big company’s walled garden,” warned Crandell. “It’s important to have freedom to work across all platforms and environments, whether browsers, mobile, or desktop operating systems.”
Smalakys pointed out the danger of connected accounts. “In a scenario…using a Chrome browser, its safety depends on how secure the connected Gmail account is,” he said. “If this Gmail account gets compromised, a hacker could, without much effort, access all the other accounts’ passwords saved on the browser.” In a similar vein, Lurey noted that, “The user must place full trust in Google to protect their information.” If your Google account is breached, so are all your passwords.
A browser is designed for browsing; password management is an afterthought. “Dedicated password managers are putting all their effort into developing a password manager that is secure, and go through independent audits, in order to ensure that security,” concluded Smalakys. Crandell offered a similar sentiment, saying, “Leading password managers focus 100% on enabling both optimum safety and the many use cases for passwords, so are more feature rich.”
Bottom Line, Get a Real Password Manager
Google Password Manager doesn’t use the zero-knowledge encryption techniques that protect password data from everyone, including the password manager company. It doesn’t even use a master password. Dedicated password tools offer many features that you don’t get with a browser built-in. And you can only use Google’s password system in Chrome (or, to an extent, Android). These are just a few of the reasons that you should get a real password manager instead of relying on Chrome.
It’s awfully convenient that Google Password Manager comes as a free feature of a free browser. That’s not a good enough reason to accept limited security for your passwords, though. We’ve evaluated plenty of free password managers(Opens in a new tab) that offer serious protection for your passwords at that same zero-dollar price—use one of them instead.