Skip to Main Content
PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

How to Protect Your Website Passwords in Chrome

If you leave a room without locking your Windows account, your siblings or friends can read all your passwords saved in Chrome. Firefox and IE aren't much better. Here's how to protect those passwords.

By Neil J. Rubenking
August 7, 2013
Protect Your Passwords

Protect Your PasswordsA blog post published yesterday by software developer Elliott Kember caused quite a stir. Titled "Chrome's insane password security strategy," the post points out that anybody with access to your Windows account can view all of your Chrome-saved passwords in plain text. That's a huge security risk, and Chrome is not the only browser affected.

To see the extent of the problem, launch Chrome's Settings page and click the link at the bottom that says "Show advanced settings..." Scroll down to the section titled Passwords and forms, then click the link titled Manage saved passwords.

It doesn't look so bad at first—just a list of the sites for which you've let Chrome save passwords. However, when you click on any item in the list a button labeled Show appears next to the password. Yes, clicking the button displays the password in plain text. You can see it, and anybody else who gets access to your computer can see it.

Firefox, Too
Is Firefox your preferred browser? In that case, you've got a little more security available. Select Options from the Tools menu and click the Security tab. Note the checkbox titled "Use a master password." If you've checked this and defined a strong master password, your credentials are safe from casual snooping. If not, they're even more exposed than in Chrome.

To see why, click the Saved Passwords button. Initially it just displays the websites and corresponding usernames, but with the click of a button you can show all the passwords at once.

Internet Explorer's Better
A recent study by NSS Labs revealed that Internet Explorer's default settings protect your privacy better than Firefox, Safari, or Chrome. In fact, Chrome came in last for privacy protection.

IE also handles saved passwords better. The encrypted passwords reside in the Registry, and there's no mechanism to display them in IE. However, there are plenty of free third-party utilities that will dump this password cache and make all the passwords visible.

Google Responds
In a response to the original post, Chrome browser security tech lead Justin Schuh defended Chrome's password-handling behavior. Schuh contends that once a malefactor gets into your Windows user account, it's already Game Over, so adding a master password or otherwise protecting the saved passwords is pointless.

The comment thread is entertaining; it's a virtual fistfight right on the page. I have to agree with those who point out that theft of your system by a hacker is just one possible scenario. Do you lock down your user account when you briefly leave a roomful of friends? They could grab a password to prank you, or a jealous ex could do some real harm.

Twitter is abuzz with comment. One wag tweeted, "@justinschuh if you think that's a response then Chrome is in trouble. It's worse than Steve Jobs 'Don't hold it that way' response." On a more serious note, Tim Berners-Lee himself weighed in, saying, "How to get all you big sister's passwords http://blog.elliottkember.com/chromes-insane-password-security-strategy... and a disappointing reply from Chrome team."

Protect Your Passwords!
Whichever browser you use, this simple four-step plan will protect your passwords from snooping.

  • Install a password manager
  • Import passwords saved by your browser
  • Delete all browser-saved passwords
  • Turn off password-saving in the browser

The mere fact that third-party password managers can import passwords from your browser should be a red flag. If they can do it, a malicious application that got past your antivirus could do it too.

LastPass 2.0 (free) and Dashlane 2.0 (inexpensive) do a great job with browser-saved passwords. Not only can they import from Chrome, Firefox, and Internet Explorer, they'll also delete those passwords from the browser and turn off the password-saving feature. Not surprisingly, both are Editor's Choice products in this category. Note that LastPass extends this feature to Opera and Safari as well.

In Chrome, Firefox, and IE, manual deletion of saved passwords starts with pressing Shift+Ctrl+Del. The dialog that appears lets you delete a variety of browsing history components. Use it to specifically delete passwords. Firefox and Chrome ask what time period to clear. In Firefox, choose "Everything"; in Chrome, select "from the beginning of time." 

That just leaves turning off the password-saving feature. In Chrome, launch Settings, click the link for advanced settings, and un-check "Offer to save passwords...". In Firefox, click the Security tab in the Options dialog and un-check the box "Remember passwords for sites." For IE, you have to dig a little deeper. In the Internet Options dialog, click the Content tab and then click the Settings button in the AutoComplete panel. Un-check the "User names and passwords..." box to turn off this feature.

Improve Your Passwords
Now that you've gotten your passwords out of insecure, browser-based storage, take a little time to upgrade them. Both LastPass and Dashlane will provide you with a security report listing the weakest passwords and also identifying those you've used on multiple websites (a security risk). Take a little time each day to replace the worst passwords with strong ones—since you've got a password manager you can have it generate crazy-strong passwords like 5GZk8cpC*XYs (freshly generated by LastPass).

Like What You're Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.


Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

Sign up for other newsletters

TRENDING

About Neil J. Rubenking

Lead Analyst for Security

When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.

Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my "User to User" and "Ask Neil" columns, which began in 1990 and ran for almost 20 years. Along the way I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.

In the early 2000s I turned my focus to security and the growing antivirus industry. After years working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.

Read Neil J.'s full bio

Read the latest from Neil J. Rubenking