What do update Archivesprivacy experts say about using Google Chrome and other browsers for password management? Neil J. Rubenkingfrom Mashable's sibling site PCMag has the answers.
Password management programs have been around since the '90s, and the major browsers added password management as a built-in feature in the early 2000s. Ever since then, PCMag has advised getting your passwords out of insecure browser storage and into a proper, well-protected password manager. Back then, we could point to password managers that would extract passwords from your browser, delete them from the browser, and turn off further browser-based password capture. That sure doesn’t sound safe!
SEE ALSO: The best password managers for all your online accountsThankfully, browsers have made progress and no longer leave your passwords quite so open to external manipulation. If you want to switch to a dedicated password manager, for instance, you’ll probably have to actively export passwords from the browser and import them into your new product.
But have browsers made enough progress than we can recommend storing your passwords in them? Specifically, should you use Google Password Manager, which is conveniently built right into Chrome? According to experts, the answer remains a resounding no.
For a company that’s built on password management, trust is everything. Serious contenders use zero-knowledge techniques to protect your encrypted data so that no one—not the password company, not the government, nobody—can know your master password or decrypt your data.
Even so, errors in implementation can risk password security. In a series of revelations starting last August, we learned that hackers compromised a key LastPass employee’s computer to steal an unknown number of encrypted data vaults. Worse, some important data elements such as login domains weren’t encrypted. It’s hard to trust LastPass now.
KeePass is the techie's favorite password manager, in no small part due to its endless possibilities for customization. However, that same customization power has been revealed as a kind of Achilles’ heel. Anyone who gains access to your computer, either by using a Remote Access Trojan or by sitting down in your absence, can steal all your Keepass passwords. It’s a simple matter of using Notepad to create an action that exports the passwords to plain text and then sends the resulting data to a drop on the internet. Admittedly, gaining the required access could be tough, but the exploit is possible. Or rather, waspossible. The latest KeePass update, 2.53.1, removed the option to export passwords without requiring entry of the master password.
Before getting into whether you should use Google Password Manager, let’s review how you can shut it down (or fire it up, if that’s your choice). First, make sure you’ve enabled Sync in all the Chrome instances where you want to share passwords. Click the three-dot menu at top right of the Chrome window, then click Settings. The top item in the left-rail menu, titled You and Google, should be selected initially; if not, click it. In the resulting dialog, you can turn syncing on or off.
Credit: Google Now click Autofill, just below You and Google, and click Password manager. If you want to use Google Password Manager, turn on the items Offer to Save Passwords and Auto Sign-in. If not, turn them off.
For more, you can read How to Master Google Password Manager. No, we don't recommend it from a security point of view; but, yes, we know some people are going to sacrifice safety for convenience.
To supplement my own knowledge and experience, I called on experts from several well-known commercial password manager companies, including Craig Lurey, co-founder and CTO of Keeper; NordPass CTO Tomas Smalakys; and Michael Crandell, CEO at Bitwarden.
Smalakys led with a warning against using a browser’s password manager, saying, “Despite cybersecurity experts’ continuous warnings about the vulnerabilities of browser password managers, internet users continue to fall into the ‘But it’s convenient!’ trap.” Lurey agreed, pointing out that a recent Keeper blog post ran down a long list of why browser password managers aren’t safe.
Zero-knowledge encryption is the reason dedicated password managers can keep your data safe without ever having access to your master password. “Google's password manager doesn't use zero-knowledge encryption,” stated Lurey. “In essence, Google can see everything you save. They have an ‘optional’ feature to enable on-device encryption of passwords, but even when enabled, the key to decrypt the information is stored on the device.”
Smalakys concurred that data stored in the browser isn’t protected the way a password manager’s data is. “Hackers use social engineering methods to trick internet users into downloading new extensions that can easily extract data stored on a browser,” he noted. He went on to say, “While there is nothing wrong with cloud storage of passwords, a company must ensure that users' data is encrypted before it's stored in the cloud. Therefore, internet users should choose a service provider that guarantees end-to-end encryption.”
Crandell tossed Google a bone, saying, “Any password manager is better than no password manager,” but went on to warn, “The limitation of browser-based password managers is that they work only within a walled garden. If you ever need to operate in another browser, or some environment where that browser doesn’t reach, you’re out of luck.”
Lurey offered a laundry list of simple ways in which Chrome’s built-in password manager doesn’t meet the standards of dedicated password management programs. For starters, it’s Chrome-specific; if you use another browser, you’re up the creek. There’s no option for secure sharing of passwords, nor for establishing a digital heir for your password collection. The browser stores only passwords, not personal details such as addresses, account numbers, and credit cards.
Crandell also highlighted the lack of important features in browser-based password systems. He noted that such systems lack “secure sharing of passwords with colleagues and family, support for biometric login and security keys, reports on whether your passwords are weak, reused, or have been breached, integration with systems at work like SSO, and many other features.”
Smalakys said, “Many browsers do not require a master password or a multi-factor authentication (MFA) approval.” Google does permit MFA, but doesn’t require it. And, indeed, there’s no master password. If you leave your desk with Chrome active, anyone who has access can log into your accounts. The same is true if you let someone else use your phone.
“Be careful about locking yourself into any single big company’s walled garden,” warned Crandell. “It’s important to have freedom to work across all platforms and environments, whether browsers, mobile, or desktop operating systems.”
Smalakys pointed out the danger of connected accounts. “In a scenario...using a Chrome browser, its safety depends on how secure the connected Gmail account is,” he said. “If this Gmail account gets compromised, a hacker could, without much effort, access all the other accounts' passwords saved on the browser.” In a similar vein, Lurey noted that, “The user must place full trust in Google to protect their information.” If your Google account is breached, so are all your passwords.
A browser is designed for browsing; password management is an afterthought. “Dedicated password managers are putting all their effort into developing a password manager that is secure, and go through independent audits, in order to ensure that security,” concluded Smalakys. Crandell offered a similar sentiment, saying, “Leading password managers focus 100% on enabling both optimum safety and the many use cases for passwords, so are more feature rich.”
Google Password Manager doesn’t use the zero-knowledge encryption techniques that protect password data from everyone, including the password manager company. It doesn’t even use a master password. Dedicated password tools offer many features that you don’t get with a browser built-in. And you can only use Google’s password system in Chrome (or, to an extent, Android). These are just a few of the reasons that you should get a real password manager instead of relying on Chrome.
It's awfully convenient that Google Password Manager comes as a free feature of a free browser. That’s not a good enough reason to accept limited security for your passwords, though. We’ve evaluated plenty of free password managers that offer serious protection for your passwords at that same zero-dollar price—use one of them instead.
Topics Cybersecurity Privacy
Best outdoor deals: Save up to 50% at REI and Amazon to prep for camping season
Nathan Zuckerman; Soon
Abundance Mindset
Learning to Listen
Best robot vacuum deal: Save $200 on Eufy X10 Pro Omni robot vacuum
Join us at the Norwood by Thessaly La Force
David Orr: Lost in the Archives, Spring 1974 by David Orr
The Outcasts of W. Eugene Smith’s Jazz Loft
Barcelona Open 2025 livestream: Watch live tennis for free
Put Up This Wall! by David Zax
Amazon Big Spring Sale 2025: Save $20 on Amazon Echo Show 5
Francisco Goldman on ‘Say Her Name’ by Lila Byock
ZeniMax workers win a tentative union agreement
One Elite, Two Elites, Red Elite, Blue Elite
Character AI reveals AvatarFX, a new AI video generator
The first images of Earth are chilling
Probably Oblivion
5 planets will light the sky in rare astronomical event this week
Best security deal: The 8
New York Groove
Unseasoned chicken cooked on a bare pan is mocked by the internetEverything you need to know about wax play during sexIs HBO Max still worth the money?Trump defends his choice to serve the Clemson football team '1000 hamberders'Review: 'Weird Parenting Wins' by Hillary FrankSpaceX is laying off 10 percent of its workforceDiscovery in skeleton's teeth reveals role of Medieval women in artBeto O'Rourke *checks notes* Instagrammed his dentist appointmentWhat to do (online) if your flight is cancelledMost watched TV shows and movies of the week (Aug 27)SpaceX is laying off 10 percent of its workforceReview: 'Weird Parenting Wins' by Hillary FrankNetflix's 'Seoul Vibe' review: Fast, furious, and fun '80s actionStormy Daniels offers a fun alternative to Trump's national addressXbox and Nintendo confirm no console price hikesTrump defends his choice to serve the Clemson football team '1000 hamberders'Warner Bros. is holding secret screenings of 'Batgirl''Star Trek: Lower Decks' Season 3 review: Not just for TrekkiesThe most retweeted tweet ever is a billionaire's giveaway of free moneyStormy Daniels offers a fun alternative to Trump's national address Spiciest tortilla chip in the world is sold one chip per package A heartbroken Adele dedicates her NYC show to 'Brangelina' Bro gets upgraded to $21,000 first class seat on airplane because life isn't fair WhatsApp now allows you to ping someone even through a muted group chat Team Angelina Jolie released a second statement on divorce from Brad Pitt Refugee and former child soldier wins state 'Australian of the Year' Kim Kardashian's letter about Armenian Genocide denial runs as ad in the New York Times The $30 bag from Singapore Maisie Williams carried to the Emmy's promptly sells out online Rob Kardashian pulls off platinum blonde as well as his sisters Netflix says it knows exactly when you get hooked on its shows People still think anti We now know exactly how many times Trump has tweeted his favorite insults Charlie Sheen is making a movie about a 'loveable man 3D 'unwrapping' tools let scientists read an ancient Hebrew scroll The Tension Experience: A live theater show that seriously messes with your head Man asks Indian government if it is prepared for zombie and alien attacks This bouncing deer is guaranteed to provide you 12 seconds of happiness Get an exclusive look at Hulu and AwesomenessTV's new series 'Freakish' Striking images from the violent protests in Charlotte after fatal police shooting Put down that pug: Vets urge people to stop buying flat
2.2676s , 10158.546875 kb
Copyright © 2025 Powered by 【update Archives】,Miracle Information Network