Trying to remember passwords is one of the sucky parts of being online. So many online accounts needing to be set up, and that brings with it so many passwords. And since it is now conventional wisdom that you need a strong password, you can’t get away with PASSWORD or 12345.
So when your browser offers you the convenience of a password manager, the offer is too tempting to pass up. Just tell it all your passwords, it will store them for you, sync them for you, and it will even auto-fill the log-in fields for you. What could possibly be the downside?!
In the case of Google Chrome, quite a lot actually. There’s gaps in it so wide you could walk your pet T-Rex through it.
How the Chrome Password Manager Works
The Chrome password manager is integrated into the browser, and can be enabled in the settings. You have to click “Show Advanced Settings” and then scroll down a bit to see it. Or alternatively you can copy and paste the following into the browser :
This opens up the password manager with all your stored passwords. I am now not using it anymore after realizing its security vulnerabilities. Now I am solely relying on Keepass, so this is an old picture.
Seeing the asterisks in the password area gives a false sense of security. In reality, those asterisks are merely curtains that you can easily pull back. Just tap on one of them and suddenly you see this :
All you have to do is click that “Show” button and the password is revealed in plain text for you to copy and paste at leisure. On a Mac, all you need to do is click “Show” and you get the password. On a Windows computer, there is an additional layer where you have to enter your Windows OS password (assuming you have set one in the first place). Why this additional check is not on any other OS than Windows is beyond me.
The Downsides Of Google Chrome Manager
As I said at the beginning, using Chrome Password Manager is so convenient. It takes away the need to remember something and you can use that saved brain power for watching reality TV instead. Chrome’s sync function also ensures that all passwords are synced across all of your devices.
But while you are marvelling at modern technology, remember this. You are in fact trading convenience for vulnerability. Let’s look at where your potential security shortcomings are.
No PIN Code
If you don’t put a lock on your computer (a PIN code), then anybody can just come along, start up your computer, start Chrome and get your passwords. It helps a bit that there is no “export” function for your Chrome passwords, so nobody can do a “drive-by mass copy and paste”.
If you have hundreds or even thousands of passwords, nobody is going to have the time or the inclination to go copying and pasting every single one. Nevertheless, if you don’t lock the front door, then you are just asking for trouble when a bad crowd starts lurking.
Viewing Chrome Passwords Online
This is the biggie when it comes to “you can’t be serious!”. If you look at the bottom of the Chrome password window, you will see this in small font.
If you go to that link (and sign in), you will see all of your passwords online, in all their glory and finery.
If someone successfully manages to hack into your Google account, they will have all your passwords. So, putting them all online is a very bad idea indeed.
What Can You Do to Strengthen Your Browser Password Security?
I hope you can see how epically bad it is to have your passwords in the browser. So it’s time to lock the door and plug the leaks.
Put a PIN Code On Your Operating System
A good start would be to put a PIN code on your operating system. This stops people from just coming along, booting up your computer, starting Chrome, and looking at your password list. Plus, when you’re away from your computer, put the computer into sleep mode and ensure anyone snooping for passwords will need the PIN code to proceed.
And don’t forget, on a Windows PC, an operating system PIN code adds an extra layer of security for when someone wants to see your passwords.
Use 2-Step Authentication
This has been a part of Gmail for so long now, that anyone not using it only has themselves to blame if they get their account hacked. It only takes 2 minutes to set up, and yes sometimes it gets a bit annoying, but it adds a bullet-proof layer to your Gmail login page.
If you do decide to use your Chrome password manager, you would first need to sign in before viewing the password list. It won’t matter if Mr or Mrs Snooper has your Gmail password – 2-step authentication will stop them in their tracks. To get any further, they would need access to your phone, which I hope you are not casually passing around to people. You should have a PIN code on your phone as well to protect the Authenticator app, and don’t let any SMS messages appear on the lock screen (for when Google sends you 2-step codes by SMS).
Use a Third-Party Password Manager
As I said earlier, I am now exclusively relying on KeePass to store my passwords. The password database is in my Dropbox folder, and provided the database is closed on all my other devices, I can sync any changes to wherever I am working.
But KeePass is not the only possible third-party password manager. We have also repeatedly covered LastPass in the past, and 1Password. You can also go old school and keep your passwords in a text file. You would protect it from prying eyes by keeping it in an encrypted container, which would sit in your cloud account. You can encrypt it with something like VeraCrypt or Windows’ Bitlocker.
Encrypt Your Chrome Password Manager
If you absolutely MUST use Chrome’s password manager, then there is a way to encrypt the whole thing, and which would stop them from being viewable online. However, they are still viewable if Chrome is running or can be opened.
To encrypt the password list, go to Settings (or copy and paste chrome://settings/passwords in the URL bar). At the top is where you would enter your Google account credentials for syncing your browser data. If you are logged into a Google account, you will see a button that says “Advanced Sync Settings“. Click that and look towards the bottom of that box.
Your encryption options will consist of encrypting synced passwords with your Google account details (which is the default setting). Or you can go the more secure route of encrypting the passwords using a separate secret passphrase. Google claims they don’t store your passphrase, so if you forget it, you will need to reset everything.
So think of a phrase that nobody would figure out, enter it twice and save. The next time you use Chrome on your other devices, you will be asked to enter the passphrase before everything syncs. But this is a one time “set it and forget it” deal.
If you now go to the password page online, you will now see this :
Also remember to deselect the password save option in the Chrome settings. Now you won’t be asked if you want to save them or not.
Try Not to Be Too Lazy
We are all lazy to some degree, and anything which affords us a certain amount of comfort and convenience will always be snapped up. But you have to remember that every benefit has a downside as well, and in this case, you are sacrificing your security…for what? Not typing a password? Is it really worth THAT much?
So wipe your browser Password Manager (Settings–>Show Advanced Settings–>Clear Browser Data–>Passwords), and from now on, use a third-party solution. Or encrypt a text file. Then you can relax a bit, knowing you have made any potential password theft a lot harder.
Are you about to delete your Chrome saved passwords? Or do you use a password manager? If so, do you use the standard one in the browser or do you use a third-party one?