Google’s web-browser, Chrome is all in news these days as it has come to everyone’s notice that Chrome stores password in clear text. What this means is that anyone can access your saved passwords in Chrome, without any effort. Now the bad thing about Google Chrome users is that this is an extreme serious matter, and therefore some precautionary steps need to be taken in order to protect saved passwords.
How anyone can access saved passwords in Chrome
Yes, ‘anyone’ can access saved passwords in Chrome, and not just the actual user of the browser. This means that if your computer is unlocked (and you haven’t set a password), then even your friend can view the stored passwords.
To view passwords, launch Settings > Show advanced settings and click on “Manage saved passwords.” You’ll now be able to see a list of all websites and services where you’ve saved passwords. To view a password of any website, simply click on the website and then on “Show.” And there goes your saved password, revealed to anyone who has access to your PC even for a few seconds.
It is worth noting here that if your computer ever gets stolen, Chrome will treat your Windows password as a master password. If the thief is not able to access your Windows account, then they will not be able to access Chrome passwords, either. However, since Windows account password is constant, even external utilities will be able to decrypt and read your Chrome passwords. For example; the free utility named as ChromePass by Nirsoft allows you to view the user names and passwords stored by Google Chrome.
Tips to protect or secure stored passwords in Chrome
So how would you protect your saved passwords in Chrome? Well, that’s easy! Simply start following these tips:
Tip #1:
Lets start with the basics. Use a very strong Windows account password so that even if someone gets access to your computer, that person won’t be able to login to Windows. If that person is able to login, then he/she will be easily able to access saved passwords in a jiffy.
Tip #2:
Protect your computer from malware. Just think that if third-party utilities are able to access your Chrome passwords, then why not malware? Use a good antivirus or security suite.
Tip #3:
Don’t store sensitive account passwords on your browser. For example, don’t store passwords of bank websites, email accounts, other financial and such sensitive information on browsers.
Tip #4:
Most important of all, use a third-party password manager like LastPass. When setting-up LastPass for the first time, you will need to create an account with it. It will then store all of your Chrome passwords using AES 256-bit encryption, and it also has the ability to sync passwords between different web browsers and platforms. LastPass is available not only for Chrome, but also for Firefox, Opera, Safari and Internet Explorer.
It comes with an option to protect all passwords with a master password so that only ‘you’ can view your passwords. What’s more, if you want to add one more layer of security, then you can also enable the multi-factor authentication option.
If you’re not comfortable with using an extension, then you can use KeePass instead. It is a desktop program that stores passwords locally instead of any third-party server. Just like LastPass, it allows you to generate random strong passwords, and you can also encrypt all passwords with one master password (one feature that Chrome is missing). However, since your passwords are stored locally, it can be a disaster in case of a hard disk failure, or re-installation of Windows.
Pssdt3 says
My take:
Good blog, but missed the key point, that the primary security weakness is the same as always. The users.
Security always requires inforned effort. Ignorant and/or lazy computer users receive what they sow.
This article doesn’t apply to Android, used with a device password.
It is a minor problem using ChromeOS books or boxes, because they don’t store passwords locally. Offline they compare stored hash values for the registered previous users to the sign-in. If on network they use Google services to do the comparison.
A. One weakness of using Google-everything on a ChromeOS or /Android device is that by default your Google account login is also your default Google email address. If you have another email address available, use that for email and if you must use Gmail, set it your other mail server then set the sender address to be the other system mailbox.
B. It’s more important than ever for your Google account password to be nontrivial. Swiping patterns, 4 digit pins and facial recognition are easy to hack.
C. Don’t leave your computer unlocked.
D. Don’t use Chrome on iOS or Windows without a setting changing the admin account name from the default. Knowing the administrator account name is more than half the effort of hacking into a computer?. Both Apple and Windows have encrypted hard drives by default.
D.Set a locking screensaver with an inactivity timeout of no more than a few minutes.
This seems like a lot of work, but if your device has a USB port, you can get a secure token key that lets you get back into a locked session without your password. This key can be worn on a leash connected to you so you can’t leave your machine without it becoming locked.
Alternatively, don’t have Chrome set to notnremember passwords and use a core password modified for each site using a part of the site/system name .