Why No Google Chrome Master Password For Saved Passwords?
The Google Chrome password manager is found in Chrome via Wrench (spanner) / Options / Personal Stuff / Managed Saved Passwords and contains a list of login usernames and passwords you have saved for websites – clicking ‘Show’ displays each password.
Because the passwords are stored in a database (in %UserProfile%\AppData\Local\Google\Chrome\User Data\Default\Login Data) you can also use a tool such as Nirsoft’s Chromepass to read this database and get a full list of all these usernames/passwords – e.g. to save them to a text file to print off. We look at how secure your saved passwords are in Chrome – and compare it to Firefox.
How Chrome Stores Saved Passwords – Chrome encrypts them using your Windows logon password.
- Can another user account on your computer read them? No, not unless they know your user account password.
- What if someone copies your password database to another computer? They still won’t be able to read it without knowing your Windows logon password.
- What if someone uses password reset tools to reset/change your password from outside of your user account and then logs in as you? Again, they will not be able to read the passwords – in fact all your Chrome passwords become unreadable if your Windows password is changed by anyone except you. Even tools like ChromePass can’t access them – unless you tell it your previous Windows logon password.
Warning: if you forget your Windows logon password and have to reset/blank it using special tools (or from an admin account) you will lose access to all your Chrome saved passwords – you can’t view them or automatically login to stored websites! This is a disadvantage that Google really should warn you about…
How Firefox Stores Saved Passwords – Firefox stores saved passwords in plain text so, in all 3 situations above, someone else can easily read your saved passwords. By default then, Chrome is far more secure. However, remember that hacking tools can quickly find out your Windows logon password if it is a simple one i.e. less than 10 characters and not a mix of letters, numbers and symbols.
If you use an easy to guess Windows logon password then all bets are off – someone can find that out and use it to read all your Chrome saved passwords.
What About A Master Password?
Firefox includes a Master Password option whereas Chrome doesn’t. Setting a master password in Firefox encrypts all saved passwords to triple DES standard which is extremely secure.
And because the Master Password doesn’t use your Windows logon password to encrypt the database, Firefox does not suffer from the ‘forgotten password’ problem of Chrome i.e. even if you had to reset your Windows password or move your Firefox database to another computer you could still view your saved passwords – if you knew the Master Password.
Why Doesn’t Google Chrome Have A Master Password?
Google’s response in the Chrome support forum is baffling: ‘Our decision not to implement the Master Password feature is based on our belief that it creates a false sense of security instead of actually providing a strong security benefit’.
In our humble opinion that is misguided – there is no valid security reason why Chrome should not add a master password option to increase security for those that want it.
Chrome’s default security relies totally on the strength of your Windows logon password – and for many people that is minimal… If you have a very strong Windows password then Chrome passwords are also secure, but if you have a weak Windows password like ‘12345’ (or none at all) then your Chrome passwords are very insecure.
We also don’t like the fact that if you forget your Windows logon password you lose all your Chrome passwords. In theory the same goes for Firefox’s Master Password but at least users know they have purposely set that up whereas most Chrome users won’t have a clue that their Windows password is absolutely crucial to how their passwords are stored in Chrome…
Chrome’s password security is certainly better than Firefox’s default security (although the reliance on Windows passwords is poor). However, Firefox excels by offering a Master Password which achieves far better protection than Chrome – even a weak Master Password using Triple DES encryption is much harder to crack than a weak Windows logon password.
See our review of LastPass – a secure password manager that effectively adds Master Password functionality (and a lot more) to Chrome. It’s just a shame that Google are ignoring this issue and not providing the option for security conscious users.