Storing Passwords In Your Browser? Time to Stop.

The latest controversy to make the rounds on tech news outlets and social networks surrounds the lack of security features built into Google’s Chrome browser, leaving user passwords and form fill data at risk.

Web developer Elliot Kember questioned Google’s security practices after showing that anyone with physical access to the computer will have immediate access to the passwords, which can easily be toggled to plain text. Someone can simply go to the URL chrome://settings/passwords or visit a user’s password page in the browser Settings menu to easily view the data. There is no master password or even a generic prompt – essentially, there is no added security for the passwords.

The main concern that Kember raises is the fact that the mass market doesn’t expect it to be that easy for others to get to their data. In his blog post, he calls for Google to either clarify the security policy so users can make a more informed decision, or to add a master password option (as Mozilla Firefox has done).

This “flaw” in Google Chrome is old news to many. However, the fact that Chrome is now one of the three most widely-used browsers in the world means that more and more of the general population is utilizing Chrome and saving their data to the browser, with little information regarding how that data is protected.

Ultimately, the most secure way to store your data is to not store it in a browser at all, where there are minimal security options and a host of possible threats. By storing your data in a password manager, you’re adding at least one authentication layer with your master password, not to mention the encryption technology built into the software itself.

There is also the added benefit of utilizing multifactor authentication and other features to control where and how your data can be accessed. These features include the ability to restrict logins to specific countries or to enable master password reprompts on more sensitive logins. It also ensures that should one computer or browser crash, or be lost or stolen, your data remains securely accessible on your other devices.

While we agree it would be wonderful if Chrome would increase their security options or offer better warnings for users, Chrome users can be proactive today by downloading a password manager like LastPass and migrating their data out of their browsers. LastPass will even help you with that process by automatically importing your passwords for you as you get started – so don’t wait until it’s too late.

Were you aware of this shortcoming in Google Chrome? What other steps are you taking to protect your data?


  • Anonymous says:

    Since the views expressed here are bordering from the naive to the inept. Please pardon my tone, but as researching scholar of cryptology and teaching doctor of mathematics, I can assure you that the NSA does not need to ask at all… they just take the company “X” hashed password DB through compromised (by the former) layers and backdoors (also introduced by the same party) and they crack,or better decode, the hashes by security “bugs/features” and available hidden collisions (also introduced… as above). Every aspects of security layers existing today is to be considered crippled and compromised in either the implementation or even the logic behind it. Some of the very textbook math behind the security and encryption layers in use and taught worldwide today, of which the esposed basics (but not the hidden logic part) you can even freely read on Wikipedia, were introduced by researchers working for and by the RSA and NSA contracts and requirements. Most of the source code and mathematical, logical basis are in need of an audit in their faundations, even the one popularly and academly behold as dogma. My paper that will publish by the end of next trimester by the my my Academy will illuminate the congectures and faults purposedly placed at hands.

  • Anonymous says:

    As apposed to the NSA going to each service you have and requesting your password?