• ARTICLES
SEARCH

How-To Geek

How Secure are Your Saved Chrome Browser Passwords?

image

A common question about the Google Chrome Browser is “why isn’t there a master password?” Google has (unofficially) taken the position that a master password provides a false sense of security and the most viable form of protection for this sensitive data is through overall system security.

So exactly how secure is your saved password data inside of Google Chrome?

Viewing Saved Passwords

Chrome, includes its own password manager which is accessible via Options > Personal Stuff > Manage saved passwords. This is nothing new and if you allow Chrome to store you passwords, you are probably already aware of this feature.

A nice touch of minor security is that you must first click the show button next to each password you want to view.

image

image

While there is no restriction to access this screen (i.e. if you have access to the desktop where Chrome is installed, you can get to the passwords), there is at least user intervention required to view each password with no way to export them in bulk to a plain text file.

Where is the Password Data Stored?

The saved password data is stored in an SQLite database located here:

%UserProfile%\AppData\Local\Google\Chrome\User Data\Default\Login Data

You can open this file (the file name is just “Login Data”) using SQLite Database Browser and view the “logins” table which contains the saved passwords. You will notice the “password_value” field is unreadable because the value is encrypted.

image

How Secure is the Encrypted Data?

To perform the encryption (on Windows), Chrome uses a Windows provided API function which makes the encrypted data only decipherable by the Windows user account used to encrypt the password. So essentially, your master password is your Windows account password. As a result, once you are logged into Windows using your account this data is decipherable by Chrome.

However, because your Windows account password is a constant, access to the “master password” is not exclusive to Chrome as external utilities can get to this data – and decrypt it – as well. Using the freely available utility ChromePass by NirSoft, you can see all your saved password data and easily export it to a plain text file.

image

So it makes sense that if the ChromePass utility can access this data, malware running as the respective user could access it as well. When the ChromePass.exe is uploaded to VirusTotal, just over half of the anti-virus engines flag it as dangerous. While in this case the utility is safe, it is a bit reassuring to see that this behavior is at the very least flagged by many of AV packages (although Microsoft Security Essentials is not one of the AV engines which reported it as dangerous).

image

Can the Protection Be Circumvented?

Suppose your computer is stolen and the thief resets your Windows password in order to natively login to your installation. If they were to subsequently try to view the passwords in Chrome or use the ChromePass utility, the password data would not be available. The reason is simple as the “master password” (which was your Windows account password prior to them forcefully resetting it outside of Windows) does not match so the decryption fails.

image

Additionally, if someone were to simply copy the Chrome password SQLite database file and try to access it on another computer, ChromePass would display empty passwords for the same reason explained above.

image

Conclusion

At the end of the day, the security of the Chrome saved passwords depends totally on the user:

  • Use a very strong Windows account password. Keep in mind, there are utilities which can decipher Windows passwords. If someone gets your Windows account password then they have access to your saved browser passwords.
  • Protect yourself from malware. If utilities are able to easily access your saved passwords, why can’t malware?
  • Save your passwords in a password management system such as KeePass. Of course, you loose the convenience of having the browser auto-fill your passwords.
  • Use a 3rd party utility which integrates with Chrome and uses a master password to manage your passwords.
  • Encrypt your entire hard drive using TrueCrypt. This is completely optional and for the ultra protective, but if someone can’t decrypt your drive they surely can’t get anything off of it.

The bottom line is simply to keep your system secure and your Chrome passwords should be reasonably secure as well.

 

Download ChromePass from NirSoft

Download SQLite Browser from Sourceforge

Jason Faulkner is a developer and IT professional who never has a hot cup of coffee far away. Interact with him on Google+

  • Published 08/23/11

Comments (15)

  1. hakke

    I use the LastPass extension in my browser. It has the ability to auto-fill passwords after entering the master password. It also works on different browsers and cross platform. Syncing and using is very easy.

  2. Tom Thorogood

    You can still have the auto-fill feature with KeePass using the ChromeIPass plugin: https://chrome.google.com/webstore/detail/ompiailgknfdndiefoaoiligalphfdae

  3. JohnM

    “Use a very strong Windows account password.”

    useless; disk bootdisk resets any accounts password, so all those chrome passwords are available to anyone
    http://pogostick.net/~pnh/ntpasswd/

  4. gyffes

    I really really dislike Chrome’s lack of a master password. I do not take comfort from your analysis (though I appreciate it, btw) — Google’s off its collective rocker, here.

  5. Jason Faulkner

    @JohnM – As covered in the article, I did reset the Windows password and the Chrome passwords were not readable afterwards.

  6. JohnM

    woops, sorry Jason! :)

  7. Cornfed

    Yeah LastPass is the way to go. I used in in Firefox, and now in Chrome.

  8. Jason Faulkner

    @hakke, @Cordfed – Regarding LastPass, I’ll stand by response in the IE PW security analysis article:
    I’m not a fan of LastPass. Call me paranoid but I don’t want _anyone_ having all my passwords but me, regardless of what their about page claims with regards to encryption and privacy… just look at DropBox.

  9. superfahd

    just wondering how many people tried to log into HTG with the HTGDummy log in in the screenshot…besides me i mean

  10. Teleston

    Read a different approach about Google Chrome passwords store in the Ubuntu Linux environment:

    http://egeorgantas.blogspot.com/2011/05/ubuntu-users-how-to-add-password.html

  11. gsingh2011

    Lastpass is the way to go. Having no master password makes no sense… User interaction isn’t going to stop anyone from clicking show in someone else’s chrome password list. I was amazed when I first found out chrome didn’t have a master password feature, so amazed I stayed with Firefox years after it came out. Now with Lastpass I can securely use chrome, although I would much rather have google put in a master password feature.

  12. Andy

    Using biult in password manager is one of the dumbest things to do.

    LastPass for casual users, KeePass for advanced ones.

  13. Missa

    I do not use any applications and extensions for storing passwords, using browser from the “Google.” I also banned to save passwords in the browser and use a good extension for browser “ClickClean” it is available in the shop from Google for free. I store passwords on the WordPad document, this file on removable media. So much better. Still use the program CCleaner =) !

    “How to Geek” & Jason Faulkner Thank You! It was new For Me! Thanks! Arigatou (^_^) !

  14. Joe Bow

    I don’t need passwords, I just drop my pants and the pages open up straight way for me.

  15. adrian

    you can open password list with
    via Options > Personal Stuff > Manage saved passwords
    even in full Linux , so where you get Window pass word in such PC ?
    or it is some other pw ?

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!