What do privacy experts say about using Google Chrome and other browsers for password management?
Thankfully, browsers have made progress and no longer leave your passwords quite so open to external manipulation. If you want to
But have browsers made enough progress than we can recommend storing your passwords in them? Specifically, should you use Google Password Manager, which is conveniently built right into Chrome? According to experts, the answer remains a resounding no.
Even Dedicated Password Managers Can Leak
For a company that’s built on password management, trust is everything. Serious contenders use zero-knowledge techniques to protect your encrypted data so that no one—not the password company, not the government, nobody—can
Even so, errors in implementation can risk password security. In a series of revelations starting last August, we learned that hackers
How to Enable or Disable Google Password Manager
Before getting into whether you should use Google Password Manager, let’s review how you can shut it down (or fire it up, if that’s your choice). First, make sure you’ve enabled Sync in all the Chrome instances where you want to share passwords. Click the three-dot menu at top right of the Chrome window, then click Settings. The top item in the left-rail menu, titled You and Google, should be selected initially; if not, click it. In the resulting dialog, you can turn syncing on or off.
Now click Autofill, just below You and Google, and click Password manager. If you want to use Google Password Manager, turn on the items Offer to Save Passwords and Auto Sign-in. If not, turn them off.
For more, you can read
What the Experts Say About Browser Password Managers
To supplement my own knowledge and experience, I called on experts from several well-known commercial password manager companies, including Craig Lurey, co-founder and CTO of
Browser Password Managers Are Convenient But Dangerous
Smalakys led with a warning against using a browser’s password manager, saying, “Despite cybersecurity experts’ continuous warnings about the vulnerabilities of browser password managers, internet users continue to fall into the ‘But it’s convenient!’ trap.” Lurey agreed, pointing out that
Zero-knowledge encryption is the reason dedicated password managers can keep your data safe without ever having access to your master password. “Google’s password manager doesn’t use zero-knowledge encryption,” stated Lurey. “In essence, Google can see everything you save. They have an ‘optional’ feature to enable on-device encryption of passwords, but even when enabled, the key to decrypt the information is stored on the device.”
Smalakys concurred that data stored in the browser isn’t protected the way a password manager’s data is. “Hackers use social engineering methods to trick internet users into downloading new extensions that can easily extract data stored on a browser,” he noted. He went on to say, “While there is nothing wrong with cloud storage of passwords, a company must ensure that users’ data is encrypted before it’s stored in the cloud. Therefore, internet users should choose a service provider that guarantees end-to-end encryption.”
Crandell tossed Google a bone, saying, “Any password manager is better than no password manager,” but went on to warn, “The limitation of browser-based password managers is that they work only within a walled garden. If you ever need to operate in another browser, or some environment where that browser doesn’t reach, you’re out of luck.”
Password Managers Have More Features
Lurey offered a laundry list of simple ways in which Chrome’s built-in password manager doesn’t meet the standards of dedicated password management programs. For starters, it’s Chrome-specific; if you use another browser, you’re up the creek. There’s no option for secure sharing of passwords, nor for establishing a
Crandell also highlighted the lack of important features in browser-based password systems. He noted that such systems lack “secure sharing of passwords with colleagues and family, support for biometric login and security keys, reports on whether your passwords are weak, reused, or have been breached, integration with systems at work like SSO, and many other features.”
Smalakys said, “Many browsers do not require a master password or a
Browsers Lock You In
“Be careful about locking yourself into any single big company’s walled garden,” warned Crandell. “It’s important to have freedom to work across all platforms and environments, whether browsers, mobile, or desktop operating systems.”
Smalakys pointed out the danger of connected accounts. “In a scenario…using a Chrome browser, its safety depends on how secure the connected Gmail account is,” he said. “If this Gmail account gets compromised, a hacker could, without much effort, access all the other accounts’ passwords saved on the browser.” In a similar vein, Lurey noted that, “The user must place full trust in Google to protect their information.” If your Google account is breached, so are all your passwords.
A browser is designed for browsing; password management is an afterthought. “Dedicated password managers are putting all their effort into developing a password manager that is secure, and go through independent audits, in order to ensure that security,” concluded Smalakys. Crandell offered a similar sentiment, saying, “Leading password managers focus 100% on enabling both optimum safety and the many use cases for passwords, so are more feature rich.”
Bottom Line, Get a Real Password Manager
Google Password Manager doesn’t use the zero-knowledge encryption techniques that protect password data from everyone, including the password manager company. It doesn’t even use a master password. Dedicated password tools offer many features that you don’t get with a browser built-in. And you can only use Google’s password system in Chrome (or, to an extent, Android). These are just a few of the reasons that you should get a real password manager instead of relying on Chrome.
It’s awfully convenient that Google Password Manager comes as a free feature of a free browser. That’s not a good enough reason to accept limited security for your passwords, though. We’ve evaluated plenty of