Why storing passwords in Chrome is a bad idea

Google's Web browser offers no protection to secure and protect your saved passwords.

It seems like almost every website you visit has a login of some sort. Managing and remembering them is virtually impossible, so for convenience the major Web browsers offer a feature that saves your passwords. But software developer has discovered that it's a bad idea to trust this sensitive information to your browser--especially if your business uses Google Chrome.

Elliot Kember wrote a blog post about the critical flaw in Chrome password security. He had decided to switch from Safari to Chrome and wanted to import his Safari bookmarks so he'd have access to all of the same sites and content between the two browsers. He was alarmed to find that one of the "options" under "Import bookmarks and settings" is to import saved passwords. However, the option is grayed out and automatically checked, meaning it's mandatory and there's no choice to not import saved passwords.

Aside from the irony of having a checkbox for something that is clearly not optional, the import setting set off some red flags for Kember. Chrome does not provide any protection for the passwords it stores--there is no master password that locks access to managing the saved passwords. The passwords are stored in plain-text, and can be exposed by simply clicking the "show" button next to the password field.

Kember writes in his post, "In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It's the mass market--the users. The overwhelming majority. They don't know it works like this. They don't expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay."

As convenient as it may be, it's generally a bad idea to let your browser--any browser--store your password information. Granted, most do a better job of locking things down than Chrome, but the browser only manages passwords for websites and Web-based applications, which means you'd still need a different, separate tool for managing other password credentials.

Complexity is the enemy of security. Graham Cluley, a respected security expert, recommends using a password management utility like LastPass, or 1Password. For Mac OS X users (especially when Mavericks is officially released) using the iCloud Keychain is an alternative solution as well.

The other enemy of security, however, is convenience. Any feature or capability that makes it easier for you to remember login credentials or access sensitive data also increases the risk that an attacker can exploit that convenience for nefarious activities. Having a master key to protect stored passwords is better than not having one, but having a master key is also an Achilles heel that provides access to all of your passwords if an attacker can just figure out how to crack the master key.

In fairness to Chrome (and other browsers), this is not a remote vulnerability. In order to access and view the stored passwords, someone has to have physical access to your PC or device with the Chrome browser. One possible solution is to simply make sure your PC or mobile device is locked when not in use, and that you don't let other people borrow it, or at least log them in under a separate "guest" account so they don't have access to your personal browser settings.

But passwords aren't going away any time soon, and you have to manage the seemingly endless list of complex passwords somehow. A password management tool is an effective solution, and a better idea than using the password-storing feature in a Web browser. From a business security and compliance perspective, users should be governed by policies that prohibit storing passwords in this manner.

Kember ended with a challenge: "Today, go up to somebody non-technical. Ask to borrow their computer. Visit chrome://settings/passwords and click "show" on a few of the rows. See what they have to say."

Join the CSO newsletter!

Error: Please check your email address.

Tags Googlepasswordssecuritybusiness securitychrome

More about Google

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place