Is the Google Chrome Password Manager secure? There’s no denying the convenience of using Google Chrome to remember and autofill your passwords, but there are a few good reasons to consider avoiding these native browser services. Here’s what you need to know.
There are people who have heard of password managers but never bothered to download them – maybe because they don’t trust them.
Perhaps they just didn’t want to pay?
The Google Chrome Password Manager gives you a basic password manager for free and without any installation. So why should you bother with other fancy password managers that demand your money?
There are a number of browsers with inbuilt password managers and honestly, they’re just okay-ish. While they cannot replace full-fledged password manager apps, they’re better than nothing.
Browser-based password managers are better than having nothing.
When you use Chrome or any of the good Chrome alternative browsers and enter a password for the first time on a new website, you’ll get a prompt asking you if you want to save that password. That’s Chrome’s password manager right there.
You can select Save if you want to save that password or click on Not Now if you don’t want to save it.
It’s convenient, I’ll give it that. Built-in password managers don’t need separate installation and they’ll store the passwords automatically.
But is Google Chrome password manager secure?
Note: Some of the links in this article are affiliate links, which means that at no extra cost to you, I may be compensated if you decide to use some of the services listed. I don’t recommend anything I don’t personally use, however, and the same holds true here.
Vulnerabilities of Browser-Based Password Managers
Browsers weren’t built to be password managers.
Period.
Google Chrome is no different than Firefox, Safari, Edge and others. The password manager is an add-on feature that is meant more for convenience. It’s not even an integrated solution like what you’ll find with Samsung Pass on Galaxy devices.
So is Chrome password manager secure?
Here are the vulnerabilities to look out for.
#1. Google Chrome isn’t a Good Password Generator
One feature of most respectable password manager apps is the option to have them generate extremely complex passwords. While it is possible to generate a password in Google Chrome (it’s not an intuitive feature), they aren’t good.
For example, if I were to try to create a new Twitter account using Chrome, I could right click on the password box to find an option for Chrome to suggest a password.
There are a couple problems here. First, this option doesn’t always show up when you right click on a password box, and there is no way to find the feature elsewhere in the Chrome browser.
Second, and most importantly, the password that Google generates is surprisingly simple and you’re given no option to alter it.
According to the All Things Secured password checker, the password you see above is strong. However, you don’t have the ability to…
…tell Google to create a longer password;
…tell Google to use symbols in the password;
…copy that password instead of having Google input and save it.
Compare that with a free, third-part password generator. You are given the ability to determine length, which kind of characters are used, and to copy the password.
#2. Using Google Chrome Puts All Your Eggs in One Basket
Using Google Chrome as your password manager locks you in to only using Google Chrome.
- What if you use Safari or another browser on your phone?
- What if you decide that you no longer want Google watching what you do on Chrome (yes, they track your usage to “optimize the web experience”) and you want to move to another, more secure browser?
- What if you need to use another computer and you need access to your passwords?
When you use Google Chrome’s password manager, it can only be used with Google Chrome.
And let’s not forget…Google is a for-profit company.
At the end of the day, Google is beholden to its shareholders and they are in the business of using your data to sell ads. While it’s highly unlikely that Google will use this data, it’s just better to avoid putting all your sensitive data in one place.
Solution: Switch to using a password manager such as Dashlane to keep your passwords separate from your Google Chrome or other browser.
#3. Google Chrome Password Manager isn’t Well-Secured
Default password managers are weak and extremely vulnerable since they’re designed to be convenient, not secure.
Any hacker with basic skills and resources can hack a browser password manager.
But that’s not the worst part.
The problem is you don’t even need hacking skills at all to hack these passwords.
Consider this scenario. A colleague asks for your laptop for a couple of hours because they have to complete an important presentation and their laptop died right in the middle of it.
You give them your laptop and your Windows password. You don’t have any personal photos on it so there’s nothing to worry, right?
Your friend can now easily open all the passwords that have been saved by the default Chrome password manager just by entering your Windows password.
Your accounts would be hacked without you even knowing about it.
Firefox and Google Chrome password managers are weak. This is why it’s important to have a password manager to help you keep your passwords in order.
Solution: If you’re dead set on not using a password manager like Dashlane, at the very least I recommend that you use a double blind password for maximum security.
How to Be Safe with Google Chrome Password Manager
If you absolutely, 100%, and under any circumstances, do NOT want to install a password manager, I get it. I was the same way for quite a while.
If that’s you, here are a few steps you can take to make sure you remain safe using the Google Chrome Password Manager.
- Guard Your System Password: Make sure you guard your operating system password. Your Chrome browser opens its vault to anyone who has the password to your operating system so make sure you don’t give it to just anyone.
- Lock Your Computer When You Leave It. It’s pretty easy. Just keep the Windows key pressed and hit the L key. Or put your Mac to sleep and make sure your settings require a password to return from sleep. Your computer will be locked and your passwords and other files will be safe.
- Use Unique Passwords for Each Account: A password manager is just a tool; you still need to be smart in how you use it. Passwords like “abc” or “123” are a big mistake and so is keeping the same password for all accounts. Your system password can be used to unlock all your other passwords so of all your passwords, you should make sure that this password is sedcure.
- Encrypt Your Hard Drive: This is an advanced tip, but a good one to consider. You can encrypt your hard drive so that even if someone has access to your computer doesn’t get to see your passwords.
The more keys you store in your Chrome lockbox (i.e. banking, investment, email, social, etc.), the most cautious you should be.
Sometimes it’s not just a question of is Chrome password manager secure. You might be surprised to find how many passwords Chrome has already stored in its vault that you don’t remember putting there.
Are Password Managers worth the Money they Charge?
Password managers save your passwords just like Chrome does. And they auto-fill the forms whenever you’re asked for a password – just like Chrome.
As we’ve discussed, though, there are risks to using the Google Chrome Password Manager.
Does that make 3rd party password managers worth the money?
It’s really up to you.
Personally, I prefer using password managers because they give me the ability to:
- Generate custom passwords that are extremely strong;
- Hide those passwords behind a master password that is separate from your system password;
- Store those passwords in a software-agnostic vault (i.e. it can be used to recall passwords in any software or app, not just Chrome);
- Secure and encrypt not only passwords but also documents, photos and other files;
I don’t want to sound like an advertisement here, but it really is a no-brainer. Even though these links are affiliate links, Dashlane offers a free version of their software, so it doesn’t even matter.
You’ll end up creating better passwords, monitoring the strength of your passwords, and using those passwords to log into any and everything you might need on your computer, tablet or phone.
Passwords are Important
It’s worth giving them extra security.
Extra Advantages of Password Managers
Google Chrome password manager just stores your passwords. That’s it.
A quality password manager app, on the other hand, provides features that go above and beyond what you’ll get with Google Chrome. As you’ll see, many of these features help to increase your security.
- Identifying Weak Passwords: Good password managers will tell you which of your passwords are weak and need to be changed. They even make the process of changing them easy.
- Dark Web Monitoring: Good password managers will also keep an eye on the internet to make sure your information isn’t floating out there. If so, they’ll tell you what to do and what passwords you need to change.
- Multi-Factor Authentication: You can make your passwords even more secure by enabling 2-factor authentication. This extra layer of security requires you to use second means of verification, such as a text message or a physical security key to make sure nobody but you can see the passwords.
- Secure Document Storage: Use this same security to store a digital backup of your most sensitive files. This is helpful if you need to securely share files or if you want a backup in case your personal computer crashes.
How Much do Paid Password Managers Cost?
Most password managers such as Dashlane, 1Password, and LastPass cost about $2-$4 per month and they can be paid annually.
Honestly, that’s really not that much.
For just a couple of dollars each month, you get premium password security and the peace of mind knowing that your passwords are safe, even if you forget them.
Better yet, most of these password managers offer a free version (often restricted by the number of devices) so you can start giving it a try before buying it.
Final Thoughts | Google Chrome Password Manager
The thing with password managers is that you need to break your bad password habits to use them. And habits are the main reason people don’t try anything new.
Once you start using a password manager, you’ll get used to it as most password managers are really simple to use.
Sure, using the Chrome password manager is better than using nothing because it DOES remember your passwords after all. But there are some serious vulnerabilities that are simple to avoid.
Can you settle for that?
I use the password manager in chrome and it most certainly recommends complex passwords.
This is true, but you have no control over those passwords. Most other password generators will allow you to choose what kind of characters, how many, etc. It’s a minor detail, but in many cases it can make a big difference.
If you have passwords in google password management; when I change from Google chrome to Dash lane. Will my passwords be forward to Dash lane AUTOMATIc?
It’s fairly easy to export your passwords from Google Chrome and upload them into Dashlane. Not automatic, but it will take you less than 5 minutes to export your data from Chrome and upload it to Dashlane to use.
Chrome password manager has gotten some improvements over the last few months(It is now Jan 2020).
I don’t really see a drawback to not being able to choose the number of characters, etc, in the complex passwords it generates. I don’t want to know the passwords anyway, ha! you can also edit the password before you choose it and save it, so if you are wanting the customization you can.
Thanks for your info and tips on digital safety!
If the double-Blind strategy is the best way to use third party managers, why not use the same method with Chrome? I’m here trying to decide if I want to go with a third-party manager, and have learned of the double-blind method. if it can be used with Chrome, I think it would nullify any argument that it is not secure. Especially now that it has a strength test, as well as showing which passwords are in the wild, etc. I actually hope that the Chrome password manager will improve enough to effectively remove the need for third-party managers.
Vizn, you make an interesting point on using double blind. since chrome today recommends 15-char passwords, 4-8 additional symbols/letters will take the password into the realms of virtually unguessable.
One security vendor I know is concerned about passwords being resident in memory and being susceptible to keylogging. It would be interesting to know how password managers (including but not limited to Chrome) auto-fill and how compromisable the autofill process is?
This keylogging IS a good question. It is a very usefull feature since my devices are never ever shared with anyone.
CHrome’s password manager does generate Complex Passwords. Check your facts before publishing.
I guess it depends on your definition of “complex”. As far as secure passwords go, they’re so-so. The biggest problem is that you have no control over how the passwords are generated (length, type of characters, etc.).
Is using the Chrome Password Generator better than nothing? Sure. Is it even close to the best password generator out there? Not by a mile.
try norton password manager its free and you can generate any password and control the length of the password.
i use it and i like it i also use chrome for less SECURE websites .
CHROME IS GETTING BETTER WITH PASSWORDS TOO.
Guess you need to update this article or delete it, google password manager (Jul 2020) let me modify the suggested password, add more letters or characters and more improvements
Thanks, Cat. I think perhaps I need to be more clear. Obviously we can modify the suggested password after it’s been copied in. However, Google doesn’t give you any control over the suggested password (i.e. whether it has numbers, symbols, special characters, etc.). The problem here is that some logins have specific requirements for their passwords and Google’s password manager doesn’t give you any control other than just modifying the password after they’ve given it to you.
i use chrome password manager to store my passwords but I use a separate password generator with 16 up to 64 character passwords with symbols and similar looking characters. I keep my chrome browser under Google Titan Security Keys and Advanced Protection Program so even if my password does get phished it is useless without the physical keys. Chrome password manager is just fine. Don’t share your browser profile, ever
Looks like you’ve got a great security setup there, Jeremy. My only observation is that you’re putting all your security eggs in the Google basket. Although your risk is very low, the fact that everything you’ve mentioned (Chrome, Titan, APP) is all Google-based concerns me personally. I’d want to take at least one of those pieces and make it a separate 3rd party provider.
Just my two cents! Thanks for commenting.
If I use lastpass, roboform, Dashlane or others, I would also be putting “all my security eggs’ into their basket! What is the difference?
Well, you can minimize the risk you’re talking about using the double blind password strategy. When I talk about “all my security eggs”, I’m referencing more than just passwords. I don’t want to trust one company with all my data (i.e. if Google has my email, my Google Drive docs, my internet browsing history AND all my passwords…that’s a high risk).
Yeah, all in one basket, the google basket. Put them all in the dashline basked instead. Because google is a for profit company. And I guess…dashline is something different than that.
Hey Andy, thanks for your comment. When I say “all in one basket”, I’m referring to the fact that Google handles my email, my web browsing, my video viewing…and I personally don’t want them also handling all my passwords. I recognize that Dashlane is a for-profit company as well, but they’re separate from Google.
to me this is going to be a never ending story, any company now have a profit purpose, what if tomorrow (any you know that may happen) Dashlane announces that they have been hacked somehow and all the users passwords too … end of story …. so let’s go back to pen and paper guys and we’re all going to be happy
I have been using this feature of Chrome for several months. I have to disagree on a couple facts in your article. First, using chrome on Windows 10, while logged into the machine with my Microsoft account, I am unable to see my passwords if I don’t also log into my Google account.
Second, I am able to add additional characters to generated passwords. I am also able to use any type of character on my keyboard. I am not limited to the alphabet – upper and lower case. I can use @#&*123 etc. Basically any character on my keyboard.
No shade, but from a security perspective google password manager doesn’t cut it. Here’s why
1. Weak Encryption –> AES-256 IS STRONG BUT NOT COMPARABLE TO OTHER PASSWORD MANAGERS WHO USE better encryption methods
2. Attack vector –> google is arguably the most attacked online service of all time. High target = greater risk.
3. Zero knowledge system??? –> Google knows everything about you. this may not concern you but if you are concerned over privacy it should.
google is not a bad password manager but it can hardly be called good either. does it support dual factor authentication at login level? how configurable are security parameters?
again google isn’t bad, but its hardly more privacy oriented than password managers built for privacy.
After first using the Chrome Password Feature, I have been using Bitwarden for a couple of years and am very happy with how it works etc. It is able to Generate many different “levels” of passwords for almost if not every type of on line set ups that require passwords. i did try LastPass, but someone suggested to me to try bitwarden, and to be honest i thought it was/is easier to use, than lastpass.
I’m glad you found and are enjoying Bitwarden, Dave! For me, it doesn’t matter which tool you use as long as you’re using something to make your passwords better. 🙂
My biggest concern with external password managers is that they are…external! I used roboform for years until they converted to storing passwords in the cloud. This is no longer under my direct control or protection, unlike the desktop computer on my network in my home. My understanding is that Dashlane does the same. Does anyone know of a good password manager other than Google which allows local storage?
Hey John, great questions. And to be clear, Google stores your passwords in the cloud as well if you set up Chrome sync.
I recommend 1Password as a good option. They offer an advanced setting that let you store your vault locally – or to a cloud server of your choosing (Dropbox, OneDrive, etc.) – instead of their cloud service.
“What if you need to use another computer and you need access to your passwords?”
Then I just log on to Google, and boom!
What do you do if you need to use another computer and you need to access your passwords, using Dashlane, 1Password or LastPass?
That’s a good point, Grinaldo, and I need to update this to reflect this. You can log into your Google account to access this, but again…you’re putting all your eggs in one basket here. If somebody is able to hack into your Google account, they can all of the sudden access your banking and now, if you use their password storage, pretty much every other account you have.
The other password managers offer a similar online login if you choose to use it, so it’s just as easy.
“If somebody is able to hack into your Google account” well why not set up two-factor authentication for your Google account… I use it and you have the option to use the google app to answer a yes/no question rather than enter a six-digit number.
I do agree with never using Google’s suggested password; they tend to be weak.
You will at some point lose your password (online or local manager) and will have to manually enter passwords on whatever equipment is available. Think about this problem when you make up complex passwords and may have to type dollar or euro signs or hash marks that require different keyboards…
This is a good point, Carls, and that might be a good reason to make sure you use less complex passwords on those accounts that you may access on a device that doesn’t have a good keyboard (i.e. Netflix and your TV). However, that alone doesn’t mean you shouldn’t use complex passwords for most of your accounts.
Hey Josh,
First off, thanks for being super respectful in your above responses.
So since you posted this, the google password manager has had a lot of improvements–it notifies you if your passwords have been compromised, if they are weak, or if you use duplicate passwords. It’s also nice since it remembers and can use passwords for apps (at least on android).
Something weird I noticed is that on windows machines like you mentioned it asks for your computer login info, but on android and linux (didn’t test on mac) it asks for google password. I wonder if it is possible to tell google to always ask for password and 2-step authentication, because that would be much better imo.
I’m pretty conflicted in the whole ‘all eggs in one basket’ issue. On the one hand, I trust Google more than a smaller company like dashlane, 1password, etc. Given this, an advantage of putting all your eggs in one basket is that if random ‘basket’s are compromised, you’re less likely to get hurt. If I store my personal information in google maps, google drive, google mail, etc., vs. apple maps, dropbox, yahoo mail, etc., then it’s more likely one of them will get hacked and my personal information will be out there than all of them get hacked.
The problems of course are that 1) specific parts of Google can be compromised independently. 2) if google as a whole is compromised, that’s very bad, as you mentioned. These are real problems.
In summary, great article, I’m going to have to consider my options to decide how to move forward.
One point in favor of Google Passwords storage is that your account is one of millions so in a sense there is an element of safety in numbers / lost in the herd / small fish in the shoal.
Also I had read somewhere that these 3rd party password vault companies could be bought out by unknown parties with malicious intents. How safe is your data when/if this happens?
People who were part of the Target hack or the Experian hack were one of millions…I’m not sure that protects you in any way.
And while there might be an element of trust with any 3rd party software (this is true of *any* software, mind you), the fact that your vault cannot be opened by the company without your special keys makes this mostly a moot point.