Over a thousand people in Chrome support forums complain that Google Chrome still does not have a master password to protect your saved website login passwords from prying eyes. This is a particularly sore point for previous users of Firefox – which does feature a master password for better security.
The Google Chrome password manager is found in Chrome via Wrench (spanner) / Options / Personal Stuff / Managed Saved Passwords and contains a list of login usernames and passwords you have saved for websites – clicking ‘Show’ displays each password.
Because the passwords are stored in a database (in %UserProfile%\AppData\Local\Google\Chrome\User Data\Default\Login Data) you can also use a tool such as Nirsoft’s Chromepass to read this database and get a full list of all these usernames/passwords – e.g. to save them to a text file to print off. We look at how secure your saved passwords are in Chrome – and compare it to Firefox.
How Chrome Stores Saved Passwords – Chrome encrypts these passwords using your Windows logon password.
- Can another user account on your computer read them? No, not unless they know your user account password.
- What if someone copies your password database to another computer? They still won’t be able to read it without knowing your Windows logon password.
- What if someone uses password reset tools to reset/change your password from outside of your user account and then logs in as you? Again, they will not be able to read the passwords – in fact all your Chrome passwords become unreadable if your Windows password is changed by anyone except you. Even tools like ChromePass can’t access them – unless you tell it your previous Windows logon password.
Warning: if you forget your Windows logon password and have to reset/blank it using special tools (or from an admin account) you will lose access to all your Chrome saved passwords – you can’t view them or automatically login to stored websites! This is a disadvantage that Google really should warn you about…
How Firefox Stores Saved Passwords – Firefox stores saved passwords in plain text so, in all 3 situations above, someone else can easily read your saved passwords. By default then, Chrome is far more secure. However, remember that hacking tools can quickly find out your Windows logon password if it is a simple one i.e. less than 10 characters and not a mix of letters, numbers and symbols.
If you use an easy to guess Windows logon password then all bets are off – someone can find that out and use it to read all your Chrome saved passwords.
What About A Master Password?
Firefox includes a Master Password option whereas Chrome doesn’t. Setting a master password in Firefox encrypts all saved passwords to triple DES standard which is extremely secure.
And because the Master Password doesn’t use your Windows logon password to encrypt the database, Firefox does not suffer from the ‘forgotten password’ problem of Chrome i.e. even if you had to reset your Windows password or move your Firefox database to another computer you could still view your saved passwords – if you knew the Master Password.
Why Doesn’t Google Chrome Have A Master Password?
Google’s response in the Chrome support forum is baffling: ‘Our decision not to implement the Master Password feature is based on our belief that it creates a false sense of security instead of actually providing a strong security benefit’.
In our humble opinion that is misguided – there is no valid security reason why Chrome should not add a master password option to increase security for those that want it.
Chrome’s default security relies totally on the strength of your Windows logon password – and for many people that is minimal… If you have a very strong Windows password then Chrome passwords are also secure, but if you have a weak Windows password like ‘12345’ (or none at all) then your Chrome passwords are very insecure.
We also don’t like the fact that if you forget your Windows logon password you lose all your Chrome passwords. In theory the same goes for Firefox’s Master Password but at least users know they have purposely set that up whereas most Chrome users won’t have a clue that their Windows password is absolutely crucial to how their passwords are stored in Chrome…
Conclusion
Chrome’s password security is certainly better than Firefox’s default security (although the reliance on Windows passwords is poor). However, Firefox excels by offering a Master Password which achieves far better protection than Chrome – even a weak Master Password using Triple DES encryption is much harder to crack than a weak Windows logon password.
See our review of LastPass – a secure password manager that effectively adds Master Password functionality (and a lot more) to Chrome. It’s just a shame that Google are ignoring this issue and not providing the option for security conscious users.
Personally, I want the extra layer of security (time) that Firefox gives me in case my laptop is stolen. They can work on my firmware password, then they can work on my User account password, okay, but then Google say I should just reward the thief’s effort by letting them just open my browser and walk through my life. Really???
I personally don’t want to give up that stuff that easily. Sorry Google. I have people in my life that I share my computer with; like a girlfriend, assorted friends, etc… Google says, ” don’t just close your browser and reopen so its auto-fill is locked, log out and make your girlfriend use a guest account to look at your photos through some sort of third party website or some other crap.” All because I want my bank password private. I don’t think that’s to much to ask…
It does seem odd that thousands of potential/current Chrome users recognize this is a useful security feature but Chrome developers choose to ignore it…
Do not even trust your girfriend or parents with your banking credentials at any cost. A few tips here:
1. Never access banking sites from search results given by Google. Always try to type the address directly in the address bar.
2. Using a new private window of your browser is the safest pratice for online banking.
3. Use passwords involving random combination of upper case and lower case letters, numbers and special characters. Never use dictionary words or personal info for it.
4. Try to memorize your passwords as far as possible. Do not write it down or store on your computer. Never use the auto fill feature for the same. Got it?? Whether you’re using FF or Chrome
5. Keep your O.S up to date with the latest patches and use the latest definitions of your antivirus and install a firewall alongside.
6. Change your password after a few months or so, and never use the same password to log in to other sites.
7. Do not click any pop-ups that may appear on your browser and which may redirect you to another site asking for your identification and password.
8.Make sure that you log out after each session and clear all your browsing history, cookies and any traces.
9. Make sure that the site address has https instead http protocol. Make sure that your transaction is encryped by looking at the bottom right corner for a padlock.
Still no master password now ?
And does the EXTENSION works perfectly ?
Thanks.
Doesn’t look like there will ever be a master password for Chrome, people have been asking for years…
Try Simple Startup Password : https://chrome.google.com/webstore/detail/simple-startup-password/ojoalkffommhmdmbohjphohoejjmgepc
@Cyril, nice idea but no confirmation required when you first set up the password (as it is asterisked out, would be easy for people to get it wrong and lock themselves out).
More important, the protection is poor – open 2 instances of Chrome and when you get the password wrong on one, the other Chrome stays open revealing full access to everything
‘Our decision not to implement the Master Password feature is based on our belief that it creates a false sense of security instead of actually providing a strong security benefit’
They should be ashamed of thenselves for posting such statement.
Remember too, this is just in relation to this issue. Go through the chrome forums and you’ll see many classics like the blow off they did here.