Security

Should I be using Chrome to store passwords?

If you’ve ever used a browser, particularly Google Chrome, the chances are you’ve been faced with a pop-up box in the corner of your screen asking if you would like Chrome to save your password. You’ve probably clicked yes, thinking ‘that’ll be handy for next time, so I won’t have to remember it!’ and then thought no more about it – but we want to look at why using Chrome to store passwords can be a massive security risk if you’re not aware of what’s happening. 

The problem

Accessing saved passwords in Chrome

Within Google Chrome, you can store all of your passwords and sync them with other devices you’re logged into with your Google account, for example your phone and your tablet. 

Did you know, you can access a list of all of the passwords you have saved in Chrome by heading to chrome://settings/passwords? Not only does it give you a full list, with just a couple of clicks you can export them all, and copy them elsewhere!

These are incredibly convenient features for a user who wants to store their passwords, but it’s also really easy to forget what it means in terms of security when it’s so easy.

Anyone who visits that page on Chrome when signed into your account can see the full password for every account you have saved. For each account it shows the URL for the login page, as well as the username and password.

This leaves you completely vulnerable in a whole host of situations, including but not limited to: 

  • If you leave your unlocked laptop unattended briefly in a cafe
  • If you let a colleague use your work computer which has you signed in to your Google account
  • If your phone gets sent for repair with your Google account automatically logged in
  • If you sign in on someone else’s device and forget to sign out
  • If you share a device with one or more others

It’s not that by doing this you’re not security conscious, it’s that it’s really easy to forget where you’re signed in, which devices are signed in, and how quickly someone can access this sensitive information and then close the page again without you knowing a single thing about it.

It’s not just an issue unique to Chrome, either. Other browsers such as Firefox work in a similar way, and Apple devices offer up a similar ease of access to your passwords.

The solution

Use a third-party password manager

Rather than clicking ‘yes’ when your browser asks if you’d like it to save a password for you, add it to a password manager instead. This is a secure way of storing your passwords with their own security protocols that would stop someone gaining access to all of your passwords. 

If you are going to use your browser to store passwords, then you need to be really hot on device security.

Protect your device

  • Add a password to the device
  • Lock your screen when stepping away from your device
  • Enable the guest account on laptops and PCs so someone can borrow it without having access to all of your sensitive data
  • Make sure you’re signed out of any shared devices, and have removed your account

Although it might take you a few extra seconds to log in, you’ll be saving yourself from a world of pain if someone gets hold of your email password or online banking details! 

Account security using MFA

Add Multi-factor Authentication to any account it’s possible to have it on. This means if someone does get hold of your device, they’re more likely going to need another bit of information before they have access to everything on your account.

This is really good practice anyway, as it can stop a lot of hacking attempts. You can read more about MFA and how it improves security here.  

Conclusion

It’s not necessarily a bad thing. If you’re going to use your browser, Google Chrome or otherwise, in order to store your passwords, be more aware of the security implications if somehow your account becomes compromised, and think of ways you can lessen the probability of that happening using the device security tips above, paired with Multi-factor Authentication.

If you’d like more help and advice about password security, please do get in touch. We see businesses who have suffered with security breaches like this, and it’s our mission to stop it from happening to as many people as possible!