Google Chrome compromises your passwords

I just posted this as a reply to a thread on the subject of Google saving your Chrome browsing history in the ‘cloud’ even if you delete it from your local device (PC, laptop, tablet, phone), but it’s probably worth a thread of its own:
Saving passwords when using Chrome doesn’t simply save them on your local device but on the Google databases in the ‘cloud’. Try visiting passwords.google.com then signing in to see just how many of your passwords are accessible in this way. Clicking on the eye symbol reveals the password. What’s worse is that passwords saved when logged in to ALL of your linked Google accounts are accessible by logging in to just one. So if you have a GMail account that you just use for ‘trivial’ things (so use a pretty basic or easy to guess password) and another for banking etc for which you use a more secure password, someone guessing your weakest password can get access to all of your others! NEVER allow your web browser, especially Chrome, save your password!

4 Likes

One can turn off the password save function…In Chrome, go to the drop down menu (click on the three dots top right of screen), click on Settings,…Click on Advanced Settings and then remove the tick in the ‘Offer to save passwords with Google Smart Lock for Passwords’.

You can also delete the passwords which may have been inadvertently captured by Chrome.

It is worth noting that Chrome is not alone with the function…most other browsers also have a save password function.

I prefer to use a password vault which I chose and also research its security…rather than one like Google has developed for Chrome.

4 Likes

Thanks for this post, I just checked and found three passwords stored in the cloud. I deleted them and switched the auto-fill option off. On the bright side Google notified me through SMS and email, that someone was accessing my details, but I definitely feel better with no stored passwords. Thanks again. Rago

Hi, Thanks for AndrewJames and phb’s post. I have found the Chrome save my passwords in different site. I have delete them.
I also notice that Chrome has connected me on different site. One of it is Microsoft which helps me to sign in gmail etc.
Should I delete the connection? If I do, would it be affected my gmail account…In the Chrome posts below message:

“## Microsoft apps & services has some access to your Google Account
To use some Microsoft apps & services features, you gave Microsoft apps & services some access to your Google Account. This access might include sensitive info.
Read, compose, send and permanently delete all your email from Gmail
See, edit, share and permanently delete all the calendars that you can access using Google Calendar”

Please advice me what to do.
Thanks

There are a few issues to deal with here.

Firstly browsers like Chrome and most others can, if you want, save your userid and password for various sites you visit, and auto-fill these when the login page is displayed. If you visit many sites that require login, then there could be lots of these saved.

Secondly, Google provides an account, with a userid and a password. Many Google applications use this. Things like Gmail. Also, you can use this account to login to various other applications on other devices like your TV or phone.

Other sites build their login system to offer a login using Google. Which means that site doesn’t need to know anything about a userid or password for you. Just a token provided by Google. But that site may need to know some of your details and can ask Google for those. Like user name, location, Gmail address, etc. But not your login id or password. If you use Google as a login, you can control some of these access permissions.

There is a protocol, Oauth2, that allows this to happen. But warning, it is not easy to understand what on earth is going on with this.

You will get this warning if you have connected your Google account to a Microsoft app or service, for example by adding your Gmail account to the Outlook app (desktop, smartphone, or web) or to the Windows Mail email app so you could use that app to check and send mail on that account.

That type of access is not a security problem if it was you who set it up.

@gregr mentioned the OAUTH2 protocol. Simply put, that is a way of letting apps connect to certain specific aspects of a Gmail account without storing your password.

When setting up the access in the first place, you give the Google password to the app that needs the access; behind the scenes, it asks Google for access to your account; Google then separately tells you that the app is asking for access and asks you to confirm that; and if you say yes, it gives the app an OAUTH token to use instead of a password when accessing the mailbox.

The access granted by the token is limited to whatever the app needs to access, and only by that app. For example, Outlook would only be able to access the Gmail mailbox. Not Google Drive, or your Google account settings, or anything else. And no other email app would be able to access the mailbox unless you had gone through this process with that app as well.

If that would explain why you’re seeing that message, and you want to keep using Outlook or Windows Mail to read and send Gmail, everything’s fine. You don’t need to do anything about this.

If you have never added the Gmail account to any Microsoft app, get back to us here and let us know that, and we’ll try to help you work out what’s going on. But don’t panic. There could still be an innocent explanation.

2 Likes

Since making the post in 2017, Google Chrome now has a password manager embedded into the browser:

https://passwords.google.com/intro

To turn off the password manager saving logins and passwords:

  1. On your computer, open Chrome.
  2. At the top right, select Profile > Passwords. If you can’t find the Passwords icon, at the top right, select More and then Google Password Manager.
  3. On the left, select Settings.
  4. Turn Offer to save passwords on or off.
2 Likes

Thanks every members are so helpful !
Being in Choice member worths every cents.

1 Like

Chrome may now have a Password Manager, but it’s not based on ‘best practice’ ‘zero-knowledge encryption’. Google can see everything you save. While there is an ‘optional’ feature to enable on-device encryption of passwords, even when this is enabled, the key to decrypt the information is stored on the device. Having suffered attempted identity theft, I have researched this subject, and now use a password manager that uses zero-knowledge encryption. Surprisingly, not all password managers do. To understand why this is important, ask google to search for information on Last Pass’ security breaches (LastPass being a password manager which once managed passwords for over 25 million registered users).

The saved login credential facility that all the browsers I use are not what I consider to be a password manager as such.

The browser just saves the userid and password related to a website login page and can autofill and log you in without displaying the login page.

Good enough for my purposes and as it is stored locally on the browser, I am not too concerned about compromised passwords. Important sites require more than just a login id and password. MFA is used.

So as long as I keep hackware off my computers that can intercept the userid and password, then I’m pretty safe.