Google has improved the password management built into the Chrome browser. It’s . . . okay! Not bad! Better than nothing, absolutely. Saving passwords in Chrome is easy and kind of secure, as long as you take a couple of precautions that we’ll talk about below.
First, to be clear: everyone should use LastPass or another full-fledged password manager. The important reason is that LastPass is more secure – and this is an extraordinarily dangerous time to be online. You will probably also find an extra feature that makes a password manager a better choice; maybe it will be sharing passwords with family members, or using the LastPass app on a phone, or storing other secure information about drivers licenses or passports.
But I know some of you won’t use LastPass. It’s a little complicated to get started. It only works if it becomes a habit, and it’s hard to change our habits. Don’t worry, I’m not judging you, at least as far as you know. Let’s look at what Chrome can do to help you with passwords.
All of you have seen the window in the above screen shot: “Do you want Google Chrome to save your password for this site?” There is a password manager built into Chrome. It’s been there for years. It does some of the same things as any password manager: it offers to save passwords for websites when you sign in for the first time, and it tries to automatically fill in the password when you return to the site.
Chrome has handled passwords in a mediocre and uninteresting way for several years, not very helpful but not bad enough to warn you about.
Now, though, Google has added a feature that is genuinely helpful. If you’re not going to use LastPass, then you should know what Chrome can do to keep you safe.
When you create a new account on a website, Chrome will now automatically suggest a complex, unique password. This is a big deal! It will help you get started on the process of trusting your password manager and not using the same password everywhere.
If you are logged into your Google account when you use Chrome (and you probably are), then Google has also made it easier to access your saved passwords by adding it to the dropdown menu when you click the account icon in the upper right corner. (You can also click on Settings / Passwords, or type in chrome://settings/passwords.) It’s optional but convenient to sync your passwords online, so they’re stored in your Google account and can be accessed from other devices.
When you look up your saved passwords, Google has increased security by requiring the Google account password to be entered again before a password can be displayed. Once you’ve done that, you can look up passwords and copy/paste them into websites.
Chrome is limited as a password manager: it’s not meant to be used for anything besides website passwords, and it’s a bit clumsy to look up a password on phones. (The LastPass app is far better on a phone. It’s easy to look up a password in the app. Sometimes the app can pull up a site and automatically fill in the password. It’s also supposed to pop up and offer to fill in passwords on apps, but that’s pretty sketchy so far.)
So Chrome’s password manager can save passwords and fill them in automatically, and now it helps you use secure passwords. What could go wrong?
How to be safe using Chrome’s password manager
Fiercely guard your Google account password
Before we get to passwords, surely you already have in mind that Google knows everything about you. It knows what websites you’ve visited, it knows where you’ve been in the real world thanks to Android and Google Maps, it knows who your friends are thanks to Google Photos. All of that information is readily available if you log in to your Google account. You already have good reason to treat the password for your Google account as if it’s a state secret.
But now the stakes are higher. You’re trusting Google with the passwords that protect the rest of your life – your bank, your shopping, your travel, your private life.
If someone learns or guesses your Google account password, you are completely compromised. The password has to be complex and unique. You have to treat your Google account password with the same care as a LastPass user. Perhaps more so, because it’s easier to reset a Google account password.
If your passwords are saved in Chrome, you should strongly consider using two-factor authentication to log into your Google account. I’ll talk about that in the next article.
Start locking your Windows computer when you walk away
Hold down the Windows key and hit the letter “L”. You’ll lock the computer so that no one can use it without a password. Your programs will stay open, so it’s not the same as tidying up and logging out. If you use a computer at work where someone else might have access to it, get in the habit of locking it every time you stand up. Your Chrome browser keeps you logged in to your Google account for convenience, so if it’s not locked anyone with access to the computer can walk up and see all the information stored in your Google account with no difficulty. They might not get your passwords if they don’t know the password to the Google account, but frankly, I’m not completely sure of that and I don’t want any mistakes.
Locking your Windows computer is a good habit in general, to prevent unauthorized access to your mail, your files, and all the other things that you can get to from your desk. Your Google account is becoming one of the most important things to protect, so let’s choose that as the reason to begin hitting Windows key + L regularly.
If you’re a LastPass user, turn off Chrome password management
There’s no reason to have Chrome collecting passwords if you’re using LastPass. You can import saved passwords from Chrome into LastPass – on the LastPass menu or in the Vault, click on Settings / More Options / Advanced / Import. Then open up chrome://settings/passwords and turn off “Offer to save passwords.”
Security matters more than ever. Protect your passwords, protect your Google account, protect your Windows computer, and be careful out there!
I’ve used Lastpass for 5 years but find it NOT just as good as Chrome password manager. Lastpass doesn’t work on about 1/3 of websites, for me. Evernote is an example which requires frequent login and Lastpass never works. Chrome passwords work almost every time and I am switching over. And you’re right, Lastpass haven’t added a feature for years while increasing the price. I estimate they have one programmer.
One good feature of Lastpass is that you can set certain passwords (like bank, credit card) to require Lastpass password reprompt.
LastPass was hacked several times, you know. The only assurance of safety is they say your personal key isn’t stored with them. They aren’t open source, so one can remain suspicious. I still can’t get my mind around having any password list on a remote server (tend to keep personal notes in the file, also). Chrome’s dependency on your Google password isn’t reassuring, either.
KeePass (arguably the best non-cloud app) is my choice, since it eliminates worrying about others guarding your password in any context. It just takes a bit more effort to logon to sites and you have to manually copy the *.kdbx file to any devices you use online. No big deal if you’re diligent and organized.
I have lastpass but do not find it easy to use. Also, should I delete all the passwords in chrome now that I have it? The problem with last pass is that it asks you to categorize each website when it saves a password, and there are multiple folders it could logically be categorized to. And when I change a password, lastpass does not update it very well. It saves many passwords for the same site and it’s hard to delete the old ones. Seems clunky. Or is there a lastpass tutorial that would address these real world kinds of issues? If there is, send it my way. I like the idea, but not the execution, google chrome seems much easier.
When I started using LastPass, I tried to categorize websites, but it didn’t last long. It’s optional, makes sense for some obsessive personalities, but you can ignore that. Searching in LastPass is fast and thorough, so I never do more than type a few letters of what I’m looking for. You’re right that LastPass doesn’t always update passwords correctly and creates duplicates instead. I’m not sure if I blame LastPass for that – I see the same thing with Chrome and other password managers on some sites. I use LastPass for more than just passwords so I appreciate its depth. If you prefer Chrome, use it! Google is improving its password management, making it a better option all the time.
The ability to generate/create safe passwords using various
I dont see why a browser should have this feature, but it could be a nice addition and it might help promote stronger passwords
Google just announced that it’s adding a safety check to its password protection – it goes thru the passwords saved as Chrome and warns if they’re not complex or if you use duplicative passwords.
This is absolutely outrageous and it pisses me off. I share my terminal and all of a sudden the settings have been magically changed to “automatically save passwords” and “save cookies.” I absolutely bloody hate it cuz person who uses Facebook can log into my account and I was not oblivious to it. Thing is that balloon to automatically save password surreptitiously sneaks up on you and before you know it every goddamn websites are saving your log in information and it is a pain in the arse to remove the setting. HATE GOOGLE.
WHY CANT YOU JUST HAVE A SET OF DIFFERENT PASSWORDS IN A NOTEBOOK IF YOUR LAPTOP NEVER LEAVES THE HOUSE ETC.
You can! Everyone’s life is different. If that works for your life, it’s a fine system. Use complicated passwords and never use the same password twice. Just don’t lose the notebook!
I keep some login passwords in a WORD document. Not really that difficult to copy and paste when logging into websites. The document is p/w protected, I am retired and the computer does not leave the house. How safe is this simple password management system?
That works! Good job. Now you have two goals: don’t re-use the same password on multiple sites; and don’t be fooled by an email phishing message into giving a password to the bad guys.
Just a couple of comments in favor of chrome:
1.) If you leave Lastpass logged in (which people often do), it is just as vulnerable as Chrome’s password manager if someone gets access to an unlocked machine. To see the passwords in chrome you either need a windows login password or you can just trick lastpass/chrome browser into autopopulating a field and then de-obfuscate it (very easy to do).
2.) As long as you have 2FA enabled on your google account, the google password alone won’t get an attacker in. Even if they DID authenticate to your google account, it isn’t enough to directly sync the passwords in Chrome (assuming your encryption password is different than your google password). However, if you use gmail as your email provider its pretty much game over. These days, access to email is the keys to the kingdom because it will allow you to reset passwords and get access to so much data that you will probably be able to easily brute force them anyway.
3.) It is harder to use phishing attacks against Chrome’s built in password manager as it uses native browser UI. Lastpass has to rely on the access given to it by chrome and other browsers so the UI is less consistent and easier to forge for a phishing attack (e.g. Lostpass)
4.) lastpass premium price has increased substantially and is now $36 a year! They haven’t added a single features since introducing 2 price bumps and tripling the price.
Some comments in favor of lastpass:
1.) It is a smaller target than Chrome’s native password manager and Android’s password storage which makes it less likely to be hacked. Lastpass has also historically been very responsive in regards to vulnerability remediation.
2.) It has more robust features to audit passwords, store various types of data and more flexibility in random password generation.
3.) It has additional features such as ID protection
4.) It will work on any browser, not just chrome!
When LogMeIn bought LastPass, one of the fears was that LMI would begin stealthy price increases, just as it has done for the main LMI products for many years. They started in a friendly way by making LastPass mobile access free, but you’re right, they’ve been bumping the Premium price. Most individuals don’t need the Premium features, but still . . .
You make good points. A lot of people are slow to understand the importance of their email password and their Google password. That’s why 90% of the attacks by bad guys that I see these days are phishing attacks – an email with a tempting link that leads to what appears to be a real login screen. Even smart, cautious people fall for them, and as you say, that can be game over.
I’ve been using LastPass since 2013 or so, but I’m starting to wonder if I should’ve just been letting Chrome save my passwords the whole time. I mean, is LastPass really more secure? Surely Google knows a thing or two about cyber security. Then again, they did just have that thing happen with Google+ which caused them to shut it down entirely…