How to protect passwords in Google Chrome
The last couple of days have been filled with "news" that Google Chrome is saving passwords in clear text. If you have followed this blog you know that since 2008 when I first mentioned that fact.
Anyway, most authors who picked up the news from Elliott Kember criticize Google for saving passwords in a way that makes them accessible to anyone with access to the system. Google on the other hand defends the practice stating that it is too late anyway if someone got physical access to the computer system.
While that is sound advice, it does not change the fact that many users are likely unaware of this. And it does not really have to be a rare-case scenario where a support technician comes over, or where you leave a friend alone for a couple of minutes with your PC.
Many families share a single computer, so that kids may access their parents passwords, say for the router and there the parental controls. Another scenario where this may end badly is if you are giving the PC away to someone else. While you should format and delete all data on it before you do, some users may not be aware of the implications so that the receiving party may access the password storage in Chrome after all.
If you look at Firefox you will notice that the browser offers a master password feature that locks the passwords until a master password has been entered by the user. This way, it is not possible to display all the passwords right away.
Is there something like that for Google Chrome? The stock browser does not support the feature, but you still have a couple of options at your disposal to protect your passwords from being accessed by third parties.
Check if your passwords are stored in clear text in Chrome
To see whether your Chrome saves passwords, do the following:
- Type chrome://settings/ in the address bar and hit the enter key.
- Click on Show advanced settings at the bottom to display more preferences.
- Scroll down to the passwords and forms section and click on Manage saved passwords there.
When you hover over a saved password here, you will notice that a show button appears in the password field. When you click it, the password is revealed so that you can copy or remember it.
To avoid that this is happening, make sure the "Offer to save passwords I enter on the web" box on the preferences page is not checked. This prevents Chrome from recording new site logins automatically.
Password protection
But how can you protect your passwords in Chrome then? The answer is by installing a browser extension, or by using a desktop password manager.
Chrome users can install the free Last Pass for example which protects all passwords with a master password that you select. It adds many other features to the browser, like the ability to sync passwords between different web browsers, form saving, the ability to save other data in your password vault and more.
Last Pass is definitely one of the most convenient options that you have, as it integrates directly in the browser. Setup may take a couple of minutes but once you are done, you are all set and it will run in autopilot.
If you prefer to use a desktop program instead, for instance because you do not want your passwords to be saved in the cloud, then you may want to use a program like KeePass instead.
Advertisement
I have kept using Firefox for all the browsing for which I don’t care if anyone knows the password to. These include emails for subscriptions and other stuff. For the personal emails, I will use Chrome but never ask it to remember the password. I am tempted to try Keepass yet feel uneasy to send my passwords to the cloud in case Keepass closes someday.
I’m using Roboform, and I have nothing to complain (of course it’s shareware)
How many people in here using it?
Every year, someone discovers that Chrome doesn’t protect its saved password, and propagandists from other vendors (e.g. Ed Bott) scream at the lax security, as if it is “news”. Anyone who has used Chrome knew of this “vulnerability” and has accepted that it is insecure. Maybe Chrome is wrong for not protecting saved passwords, but I no longer allow browsers to save passwords for anything. That’s why we have password managers.
I had been using Lastpass but has grown uneasy since the “security breach” some time ago. And with the Snowden scandal, I have not used LP at all. Now I use KeePass 2.xx, and I use KeePassHttp and ChromeIPass to interface with Chrome. It’s almost as good as LP, and is not readily exploitable by the NSA.