Why No Google Chrome Master Password For Saved Passwords?

Over a thousand people in Chrome support forums complain that Google Chrome still does not have a master password to protect your saved website login passwords from prying eyes. This is a particularly sore point for previous users of Firefox – which does feature a master password for better security.

The Google Chrome password manager is found in Chrome via Wrench (spanner) / Options / Personal Stuff / Managed Saved Passwords and contains a list of login usernames and passwords you have saved for websites – clicking ‘Show’ displays each password.

Because the passwords are stored in a database (in %UserProfile%\AppData\Local\Google\Chrome\User Data\Default\Login Data) you can also use a tool such as Nirsoft’s Chromepass to read this database and get a full list of all these usernames/passwords – e.g. to save them to a text file to print off. We look at how secure your saved passwords are in Chrome – and compare it to Firefox.

How Chrome Stores Saved Passwords – Chrome encrypts them using your Windows logon password.

  • Can another user account on your computer read them? No, not unless they know your user account password.
  • What if someone copies your password database to another computer? They still won’t be able to read it without knowing your Windows logon password.
  • What if someone uses password reset tools to reset/change your password from outside of your user account and then logs in as you? Again, they will not be able to read the passwords – in fact all your Chrome passwords become unreadable if your Windows password is changed by anyone except you. Even tools like ChromePass can’t access them – unless you tell it your previous Windows logon password.

Warning: if you forget your Windows logon password and have to reset/blank it using special tools (or from an admin account) you will lose access to all your Chrome saved passwords – you can’t view them or automatically login to stored websites! This is a disadvantage that Google really should warn you about…

How Firefox Stores Saved Passwords – Firefox stores saved passwords in plain text so, in all 3 situations above, someone else can easily read your saved passwords. By default then, Chrome is far more secure. However, remember that hacking tools can quickly find out your Windows logon password if it is a simple one i.e. less than 10 characters and not a mix of letters, numbers and symbols.

If you use an easy to guess Windows logon password then all bets are off – someone can find that out and use it to read all your Chrome saved passwords.

What About A Master Password?

Firefox includes a Master Password option whereas Chrome doesn’t. Setting a master password in Firefox encrypts all saved passwords to triple DES standard which is extremely secure.

And because the Master Password doesn’t use your Windows logon password to encrypt the database, Firefox does not suffer from the ‘forgotten password’ problem of Chrome i.e. even if you had to reset your Windows password or move your Firefox database to another computer you could still view your saved passwords – if you knew the Master Password.

Why Doesn’t Google Chrome Have A Master Password?

Google’s response in the Chrome support forum is baffling: ‘Our decision not to implement the Master Password feature is based on our belief that it creates a false sense of security instead of actually providing a strong security benefit’.

In our humble opinion that is misguided – there is no valid security reason why Chrome should not add a master password option to increase security for those that want it.

Chrome’s default security relies totally on the strength of your Windows logon password – and for many people that is minimal… If you have a very strong Windows password then Chrome passwords are also secure, but if you have a weak Windows password like ‘12345’ (or none at all) then your Chrome passwords are very insecure.

We also don’t like the fact that if you forget your Windows logon password you lose all your Chrome passwords. In theory the same goes for Firefox’s Master Password but at least users know they have purposely set that up whereas most Chrome users won’t have a clue that their Windows password is absolutely crucial to how their passwords are stored in Chrome…

Conclusion

Chrome’s password security is certainly better than Firefox’s default security (although the reliance on Windows passwords is poor). However, Firefox excels by offering a Master Password which achieves far better protection than Chrome – even a weak Master Password using Triple DES encryption is much harder to crack than a weak Windows logon password.

See our review of LastPass – a secure password manager that effectively adds Master Password functionality (and a lot more) to Chrome. It’s just a shame that Google are ignoring this issue and not providing the option for security conscious users.

30 Responses to: "Why No Google Chrome Master Password For Saved Passwords?"

  1. Sheila says:

    Totally agree, failure to add master password to Chrome is keeping me on Firefox for better security. Lastpass and roboform would do the job but i don;t like the thought of my passwords being handled in the cloud, however secure they”re supposed to be. No good reason for Chrome not to add one, must be very easy to do!

  2. Larry says:

    I suppose Google would advocate removing car door locks because the locks can easily be bypassed by breaking the window. By removing the locks completely, drivers will be more careful where they park their car.

    • Alex says:

      Ha ha, nice one Larry – best analogy I’ve seen of Googles pathetic attempt to defend the indefensible ;-)

  3. Leeroy says:

    Master Passwords suck because you have to type them in every time, and if it’s strong it takes an age.
    Getting the “master password” from Windows is clever and really neat for the user, but utterly insecure.

    If Google is ever persuaded to change this situation (by our collective begging and unicorn tear shedding) I wish they’d make it somehow that Chrome gets another more secure token from Windows. Or have an option to get it from something else, I dunnow, biometric data.

    I don’t want to type a master password all the time, because sometimes I will be in insecure places/situations.


    To hide the Show button so no n00b can come up to your machine and click to see your passwords…
    Add this to Custom.css (in your profile\Default\User StyleSheets\)

    .password .password-button {display:none !important;}

    Now the Show button won’t be there, but nirsoft ChromePass still works. Also someone can invoke the JavaScript console on the chrome://settings/passwords page and make all the password fields into text fields, thus revealing everything.

    • Harrassee says:

      That doesn’t make sense. Either you have to type your password at Windows Login, or when you open the web browser. I don’t see how where you are (presumably on a laptop) affects that security.

      I need a master password because I am on a work computer. IT people have access to my work computer, but they should not have access to my (personal) logins and passwords. Some IT person or anyone with access to my computer would have access to all my other (personal) accounts. That is unacceptable. I like that for Firefox, I can just close the browser and know that no one can access that data unless they hack my password.

      I have no confidential information on my computer – all of it is on the web/cloud – so that is where I need my security.

  4. david says:

    Just wanted to say thanks for recommending LastPass. I was about to give up on Google thanks to their lack of a master password, thanks to your recommendation I started using LastPass and it’s *amazing*. Highly recommended. (Apparently RoboForm and 1Password are good options as well.)

  5. danwat1234 says:

    Yeah, Chrome’s way isn’t cool. I don’t have a windows password, so that hopefully my machine will be tracked via IP tracking software if it get’s stolen, but then Chrome doesn’t encrypt the passwords?

    I have the problem that Chrome sometimes forgets a password and I have to have it learn it again. It is nowhere to be seen in the list of passwords.

  6. James Thompson says:

    I suspect Google’s reasoning is that if your Windows password is weak and easy to crack then whatever you choose for your Chrome password will also be weak and easy to crack. Whereas people who will actually choose a strong Chrome password or even turn the option on at all will already have a strong Windows password.

    Personally I prefer the Opera approach to this, they don’t require a master password but the passwords stored aren’t readable anywhere. This removes the danger of someone stealing your password database or browsing through your passwords if you leave the computer unattended.

    • Roy says:

      @James “if your Windows password is weak and easy to crack then whatever you choose for your Chrome password will also be weak and easy to crack” – this wouldn’t be true if the master password used triple DES and wasn’t stored – only a sustained brute force attack could reveal it. Windows password encryption is far weaker.

      Ps the password file used by Opera (without a master password) may not be immediately readable to humans but it is simple for a program to reveal the passwords in it – and this can be done remotely…

  7. Tipesh says:

    firefox’s approach is also good for portability: i can use the same ff isntallation (poretable version) on any computer, even if i reinstall the OS, maybe even on another platform.

    it doesn’t matter who’s logged in, or where: my passwords are both secured AND accessible.

    with chrome’s approach, they might not be accessible, even if i know my own passwords.

    • Roy says:

      Good point about portability Tipesh, thanks – I use portable Firefox (and portable Chrome) on a flash drive.

      It’s also easy to backup and restore Firefox (including passwords) via Mozbackup to transfer desktop Firefox to another computer – without having to sync. You can use Chrome’s sync via Google account to transfer passwords but I prefer not to have passwords and personal data synced with Google for obvious security reasons.

  8. Kenyoni says:

    1 — Windows is not the only OS in the world. This can’t be the way it’s done on Linux since it would be impossible for chrome to get my password unless I typed it in.

    2 — …which begs the question: “how does chrome get your Windows password?” Is windows really that insecure?

    3 — In either case, if I let someone borrow my computer to look something up on the Internet, if I don’t keep my eye on them for every second, they can easilly get my password with a couple clicks and a quick look.

    The point is, there is no local password security in Chrome. Big fail so I rarely use chrome and never save passwords with it.


    k

    • Roy says:

      1. Chrome saved passwords used to have no encryption in Linux and were stored in plain text – they are now able to be stored encrypted using KWallet or GNOME Keyring (perhaps depending on the distro)

      2. I simplified a bit – it doesn’t need to know the actual password as such but it uses a Windows API in encrypting which makes the data only decipherable by the same Windows user account that was used to encrypt the data. Effectively you need to be able to log on as that user with the same Windows password.

      3. Totally agree. Relying on the Windows user account and password for encryption is weak – a lot easier to crack than 3DES encryption. There is no valid security reason why Chrome should not also have the option to use a better protected master password.

  9. Doug says:

    Chrome DOES have a master password!
    Settings –> Advances Sync Settings –> Choose your own pass phrase

    The Google help for this feature explains that when you choose your own pass phrase, everything that Chrome saves (including passwords) is locally encrypted with this pass phrase, and that the pass phrase is not sent to Google or the net (which means that if you actually use Sync and you want to be able to access your saved data that you must manually set the same pass phrase in all copies of Chrome that you use). It also says that once you choose your own pass phrase that you are required to enter it every time you start Chrome.

    Isn’t that exactly what a master Password does?

    • Kenyoni says:

      Ummmm…. No.

      It’s very tricky wording. The local files are *not* encrypted. They are encrypted before sending them to google.

      Here’s an analogy: If your city water supply comes frome a reservoir, it is purified/treated before it is sent to your house. (well, at least in most deveoped countries) The whole resevoir is not treated, only the part that is sent to your house and it’s done just before it is shoved into the pipe heading in your direction.

      To back this up, the last paragraph on this page tells all:
      https://support.google.com/chrome/bin/answer.py?hl=en&answer=1181035&p=settings_encryption

      If the local was encrypted also, your local data wouln’t be available to you if you forgot your passwd.


      k

    • Roy says:

      As Kenyoni says.

      Firefox Master Password encrypts saved passwords locally – if you logged into my PC as me you couldn’t access my passwords without knowing my Master password

      Chrome doesn’t offer that – if I logged into your PC as you I could access/save all your saved passwords

  10. jackuars says:

    Setting up a master password brings a false sense of security and is not very reliable. First of all, an attacker has to get the password for user account/admin account of the system. If he does that, the person can setup keyloggers, sniffers, remote control software, desktop recording software, and he can easily monitor and get the passwords on Firefox too even if does include a master password.

    So there is no “extra security” and what Google claims is not rubbish. A saved password and a typed password is at about the same risk against a determined attacker. Guess you got the point.

    • Joe90 says:

      “If he does that, the person can setup keyloggers etc” – the point is that with Chrome (unlike firefox) there is no need to.

      anyone with access to your account can just grab your passwords – don’t have to be a master hacker or bypass antivirus/firewalls etc

      that is what the ‘extra security’ of a master password prevents – the far more common scenarios such as 1. you leave your PC logged in 2. i know your password

      • jackuars says:

        If somebody has access to your account, or if you are even dumb to leave your terminal for someone else simply install (Refog keylogger) and you’ll get their typed passwords. You don’t have to be a master hacker for that……

        Don’t be fooled by the “extra” security that a master password can give. Never leave your computer for somebody else without supervision. With Chrome or Firefox if you leave your system open, you’ll asking for trouble that’s the point.

  11. bryan.cfii says:

    Personally, I want the extra layer of security (time) that Firefox gives me in case my laptop is stolen. They can work on my firmware password, then they can work on my User account password, okay, but then Google say I should just reward the thief’s effort by letting them just open my browser and walk through my life. Really???

    I personally don’t want to give up that stuff that easily. Sorry Google. I have people in my life that I share my computer with; like a girlfriend, assorted friends, etc… Google says, ” don’t just close your browser and reopen so its auto-fill is locked, log out and make your girlfriend use a guest account to look at your photos through some sort of third party website or some other crap.” All because I want my bank password private. I don’t think that’s to much to ask…

    • Roy says:

      It does seem odd that thousands of potential/current Chrome users recognize this is a useful security feature but Chrome developers choose to ignore it…

    • jackuars says:

      Do not even trust your girfriend or parents with your banking credentials at any cost. A few tips here:

      1. Never access banking sites from search results given by Google. Always try to type the address directly in the address bar.
      2. Using a new private window of your browser is the safest pratice for online banking.
      3. Use passwords involving random combination of upper case and lower case letters, numbers and special characters. Never use dictionary words or personal info for it.
      4. Try to memorize your passwords as far as possible. Do not write it down or store on your computer. Never use the auto fill feature for the same. Got it?? Whether you’re using FF or Chrome
      5. Keep your O.S up to date with the latest patches and use the latest definitions of your antivirus and install a firewall alongside.
      6. Change your password after a few months or so, and never use the same password to log in to other sites.
      7. Do not click any pop-ups that may appear on your browser and which may redirect you to another site asking for your identification and password.
      8.Make sure that you log out after each session and clear all your browsing history, cookies and any traces.
      9. Make sure that the site address has https instead http protocol. Make sure that your transaction is encryped by looking at the bottom right corner for a padlock.

  12. buythiscomputer says:

    Still no master password now ?

    And does the EXTENSION works perfectly ?

    Thanks.

    • Roy says:

      Doesn’t look like there will ever be a master password for Chrome, people have been asking for years…

    • Roy says:

      @Cyril, nice idea but no confirmation required when you first set up the password (as it is asterisked out, would be easy for people to get it wrong and lock themselves out).

      More important, the protection is poor – open 2 instances of Chrome and when you get the password wrong on one, the other Chrome stays open revealing full access to everything

  13. FV says:

    ‘Our decision not to implement the Master Password feature is based on our belief that it creates a false sense of security instead of actually providing a strong security benefit’

    They should be ashamed of thenselves for posting such statement.

    • bryan.cfii says:

      Remember too, this is just in relation to this issue. Go through the chrome forums and you’ll see many classics like the blow off they did here.