Why No Chrome Master Password For Saved Passwords?
This is a particularly sore point for previous users of Firefox – which does feature a master password for better security.
The Chrome password manager is found in Chrome via the 3 dots menu / Settings / Autofill / Passwords and contains a list of login usernames and passwords you have saved for websites – click the eye ‘Show password’ icon to display each password after you have entered your Windows user password.
Because the passwords are stored in a database, you can also use a tool such as Nirsoft’s Chromepass to read this database and get a full list of all these usernames and passwords – e.g. to save them to a text file to print off.
I’ll look at how secure your saved passwords are in Chrome – and compare it to Firefox.
How Chrome Stores Saved Passwords
Chrome encrypts them using your Windows logon password:
- Can another user account on your computer read them? No, not unless they know your user account password.
- What if someone copies your password database to another computer? They still won’t be able to read it without knowing your Windows logon password.
- What if someone uses password reset tools to reset or change your password from outside of your user account and then logs in as you? Again, they will not be able to read the passwords.
In fact all your Chrome passwords become unreadable if your Windows password is changed by anyone except you. Even tools like ChromePass can’t access them – unless you can tell it your current Windows logon password.
Warning: if you forget your Windows logon password and have to reset it using special tools (or from an admin account) you will lose access to all your Chrome saved passwords – you can’t view them or automatically login to saved websites! This is a disadvantage that Google really should warn you about…
How Firefox Stores Saved Passwords
By default, Firefox stores saved passwords in plain text so, in all 3 situations above, someone else can easily read your saved passwords. By default then, Chrome is far more secure.
However, remember that hacking tools can quickly find out your Windows logon password if it is a simple one i.e. less than 10 characters and not a mix of letters, numbers and symbols.
If you use an easy to guess Windows logon password then all bets are off – someone can find that out and use it to read all your Chrome saved passwords.
But What About A Master Password In Firefox?
Firefox does include a Master Password option whereas Chrome doesn’t. See my guide for how to set it up.
Setting a master password in Firefox encrypts all saved passwords to triple DES standard which is extremely secure.
And because the Master Password doesn’t use your Windows logon password to encrypt the database, Firefox does not suffer from the ‘forgotten password’ problem of Chrome
I.e. even if you had to reset your Windows password or move your Firefox database to another computer you could still view your saved passwords – as long as you knew the Master Password.
Why Doesn’t Google Chrome Have A Master Password?
Google’s response in the Chrome support forum is baffling: ‘Our decision not to implement the Master Password feature is based on our belief that it creates a false sense of security instead of actually providing a strong security benefit’.
In my humble opinion that is misguided – there is no valid security reason why Chrome should not add a master password option to increase security for those that want it.
Chrome’s default security relies totally on the strength of your Windows logon password – and for many people that is minimal…
If you have a very strong Windows password then Chrome passwords are also secure, but if you have a weak Windows password like ‘12345’ (or blank, none at all) then your Chrome passwords are very insecure.
I also don’t like the fact that if you forget your Windows password you lose all your Chrome passwords. In theory the same applies to Firefox’s Master Password but at least users know they purposely set that up whereas many Chrome users won’t have a clue that their Windows password is crucial to how passwords are stored in Chrome…
Chrome’s password security is certainly better than Firefox’s default security (although the reliance on Windows passwords is poor).
However, Firefox excels by offering a Master Password which achieves far better protection than Chrome – even a weak Master Password using Triple DES encryption is much harder to crack than a weak Windows logon password.
See my review of LastPass – a secure password manager that effectively adds Master Password functionality (and a lot more) to Chrome. It’s just a shame that Google are ignoring this issue and not providing the option for security conscious users.