Is it safe to save your passwords in the Google Chrome browser? One big question that has always been on the mind of every Chrome user whenever you login to an account on your phone. Anyways, we are going to answer this question right here and now in subsequent paragraphs.
In a previous post on Betechwise, we already explained how to see passwords saved in Google Chrome. The feature is very useful if you have forgotten a password and need immediate access to the system or cannot create a new password just like when you forget your phone password and you can simply recover it with your Google account. But, is the mechanism that Chrome uses to store and protect saved passwords safe? Let’s understand how it all works.
You can adjust Chrome to remember website passwords. It works like this: when you enter a new password on a website, Chrome asks if you want to save it. To accept, click on “Save” and you’re done. The password will always be available in the browser.
Start or stop saving passwords in Chrome
By default, Google Chrome offers to save the password.
If for some reason it doesn’t or you want to disable the option:
- Open Google Chrome (desktop);
- In the upper right corner, click on “Settings”;
- And then on “Passwords”;
- Enable or disable the “Offer to save passwords” option.
In addition to the saved password, it is possible to decide whether you want an “automatic login” on sites where you have saved your credentials. When activating this feature, it is not necessary to confirm your username and password whenever you access, for example, your Facebook.
How to view, delete, or export saved passwords in Chrome
You can check what is already saved and decide to delete or even export the file.
- Open Google Chrome (desktop);
- In the upper right corner, click on “Settings”;
- And then on “Passwords”;
- You can now view, delete or export passwords:
- View: to the right of the site, click Show password (👁️). If you use a password to lock your computer (access to the desktop), you will be prompted for it;
- Remove: to the right of the site, click on More (…) and Remove (🗑️);
- Export: to the right of “Saved passwords”, click More (…) and Export passwords.
To clear all saved passwords, clear your browsing data and select “Passwords”.
How does Chrome save and sync passwords?
According to Google, how Chrome saves your passwords depends on whether you choose to store and use them on all devices (smartphone, tablet and/or computer). When synced, passwords can be used in Chrome on all of your devices and also in some Android apps you use.
With sync enabled for passwords in Chrome, passwords are saved to your Google Account. Otherwise, they are only stored in Chrome on your computer.
ESET, the maker of antivirus and other anti-malware solutions, gave more details on what mechanism Chrome uses to store and protect saved passwords and analyzed some more technical aspects of security on the topic.
According to Daniel Kundro, malware researcher at ESET Latin America. when a user clicks the “accept” button, this data (login and password) will be stored in an SQLite3 database of the web browser.
Which can usually be found at the following address:
% LocalAppData% \ Google \ Chrome \ User Data \ Default \ Login Data.
The danger of physical access and malware
This file, which contains the database, is used only by Google Chrome, therefore, and, presumably, no other software will access it. For obvious security reasons, passwords are not stored in plain text – they are encrypted.
This function is designed in the browser so that the data can only be decrypted by the same user of the operating system that was logged in when the same password was encrypted or on the same computer.
“If a cybercriminal has access to the computer, he can easily obtain passwords, decrypt them and steal them in plain text,” he explains. That is, if someone else has access to the computer, you can use simple methods and export passwords.
Testing with a Facebook account
However, physical access is not the only danger.
Some malware focus on exactly this browser feature and, when present on the machine, can make use of the feature.
“This type of behavior was observed in several malicious codes and even in banking trojans targeted specifically at Latin America, where they are intended to steal access credentials from home banking services”, adds Kundro.
Logging into Facebook with a fictitious username and password, the team accepted the option for Google Chrome to save credentials. Then, an attempt was made to locate the file with the saved information. To access it, just open the file with a program that allows you to view databases such as DB Browser for SQLite.
Entries reveal login data, which includes: URL, username and password. The stored password is encrypted in a BLOB structure and, when clicking on this field, the program shows its hexadecimal representation. There, the attacker already has the username, the website and the encrypted password, all that remains is to decrypt the password and that’s it.
“The cybercriminal takes advantage of the fact of having access (physical or virtual) to the device, as it is very likely that the active user is the same one who saved the password, allowing the information to be decrypted using the function: CryptUnprotectData.”
It sounds complicated, but for those who are interested in your data, it may not be.
“All of these steps can be performed by malware quickly and automatically. However, malware is not the only risk that we must take into account, since there are currently several programs that are easily accessible through an online search that are capable of performing these same steps, ”says Kundro.
Is it safe to save passwords in Google Chrome?
This will depend on how secure your computer is or how to use it. All risks mentioned are limited to the password-saving mechanism and the risk that stored passwords will be stolen. There is no doubt that the resource is useful.
But, be careful.
Ideally, you should not use automatic password saving with sensitive payment services, home banking, social networks, medical sites or that contain personal information that you would not want third parties to have access to. Make this filter in the list.
Good navigation.
