If you use Google Chrome as your Web browser, which you likely do, as it’s the most popular Web browser in the U.S., there’s something you should know that Google’s not telling you: all your passwords saved within the browser are actually very, very easy to access. According to The Telegraph, software developer Elliott Kember discovered the security hole while importing his bookmarks from Safari to Chrome, finding that it was mandatory to import saved passwords.
Kember soon realized that anyone with physical access to his computer can view passwords stored in Chrome by simply typing in “chrome://settings/passwords” into the Chrome search bar. A list of websites and their saved passwords instantly appear, and the simple click of the “show” button next to each blanked-out password reveals the full password. If you’re anal about locking your computer every time you leave its side (in a coffee shop when you go to the bathroom, at work when you hit the water cooler, or even at home when your roommate’s crazy friend is over), then you don’t have to worry too much. However, Kember points out that the average person doesn’t know Chrome works like this.
The solution of a master password has been brought up, but according to Justin Schuh, head of Google’s Chrome developer team, by changing its system to support a master password, Google would be “lull[ing] our users into a false sense of security.” Whether or not Google decides to release an update to Chrome that changes the way it handles stored passwords, it’s a good idea to protect your privacy.
A few good ways to minimize your vulnerability to attack is to make sure you use a unique password for each and every service you log into, change your passwords often, and make each of those passwords is as secure as possible. (DT’s Geoff Duncan provides a solid overview for how to create a strong password yourself.) But that can become a burdensome task. Luckily, software exists to help carry some of the weight. Here’s a quick overview of password manager apps – but we still suggest not telling any browser your password and locking your computer whenever you step away from it.
What does a password manager do?
Basic password managers have just one function: they save your login information for different sites so you don’t have to. This is a feature available in any modern Web browser. While such a feature may be handy, this type of password management isn’t going to do you any good – in fact, it could even make you more vulnerable, since browsers are often anything but secure. (Note: Firefox‘s password manager solution is known as quality, free option.)
The type of password managers you should look into have a few far more helpful features. First, they encrypt all your login information and other types of data that you might often hand over to a website, like your address, or bank or credit card information. This allows you to not only keep your personal data secure, but to also organize the dizzying array of passwords that many of us have to manage. Second, many password managers generate unique, complicated passwords that are extremely difficult to crack. Through these two functions, password managers ensure that you have the strongest possible password, and do the hard task of “remembering” your passwords for you. Any password manager you use ideally performs both of these security functions.
Many quality password managers also include password ranking, which will tell you which of your passwords are weak and which are strong, and give you the ability to easily change the puny ones out for something more robust.
How do password managers work?
Without getting into technical jargon, password managers save your information in an encrypted file, which is only accessible through the use of a “master password.” By doing this, all of your various online services are secured, but you only have to remember one password. In turn, it is extremely important for you to make sure your master password is extremely high quality. (See here for how to create a great password.)
Are there different types of password managers?
Yes – quite a few, actually. A few of the most popular include desktop applications, which often store your personal information on an encrypted local file (as opposed to on an external server); Web- and cloud-based apps, which store your information on their servers; and “token” managers, which require the use of a secure USB flash drive or other physical, external device, which must be used in conjunction with an app. Many password managers are a combination of these categories. There are also quite a few password managers for smartphones, many of which come with paid password manager apps for your computer.
Which password managers do you recommend?
LastPass 2.0 is one of the best password managers available. And to sweeten the deal, it’s free! (A pay version also exists, which gives you more features for $12 per year.) LastPass is available for Windows, Mac, and Linux (and iOS, Android, and Windows Phone – more on that later). Once you’ve set up your master password, LastPass will import all of your saved login credentials (usernames and passwords) from Firefox, Chrome, Internet Explorer, Opera, and Safari. It then allows you to delete all of this information from your computer to keep it secure. After that, all you need to remember is your super-secure LastPass password.
Other free LastPass features include form autofill (for things like shopping online); multiple identities for work, school, and personal use; secure password generation; and even free credit monitoring to keep track of any suspicious activity on your financial accounts. And because LastPass stores your information (in an encrypted form) on its cloud servers, you can use LastPass on computers other than your personal PC.
LastPass also allows for two-form authentication for added security, such as the use of YubiKey. LastPass Premium gives users the ability to further enhance their security with a fingerprint reader. Use of its iOS and Android apps are also available for paying customers.
Another extremely popular and reliable password manager is 1Password. In fact, many people now prefer 1Password (“1Pass,” for short) over LastPass due to a rumored security breach of LastPass in 2011. (Many still swear by LastPass, however.) The only downside here is that 1Password will cost you $50 for one license, $70 for both a Mac and a Windows version, and $70 for a “family license” for up to five people. It’s not a lot of money if it saves you from being hacked or having your identity stolen – but it is more than the $0 you’ll spend on LastPass.
That said, 1Password does come with some added perks. In addition to all of the features available through LastPass – Mac/Windows compatible, iOS/Android apps, password generation, etc – 1Password also has an extremely easy-to-use UI. More importantly, however, is the fact that, unlike LastPass, 1Password does not store any of your information in the cloud, which may be less secure and is completely out of your control.
If you’re looking for a good middle-of-the-road solution, you might try KeePass, which is free, open-source, and stores your encrypted data locally. It also uses the highly secure AES and Twofish encryption algorithms. The downside here – there’s always a downside – is that KeePass’s UI is far more basic than 1Password, and it doesn’t always integrate well with all browsers.
Per a reader’s suggestion, RoboForm Everywhere is another fantastic password manager, and is often preferred over any of the previously mentioned options. RoboForm is available for PC, Mac, iOS, and Android. And, like KeePass and 1Password, RoboForm stores your information locally, rather than in the cloud. If you’re on a PC, we recommend the RoboForm2Go version, which installs on a USB drive rather than your computer’s hard drive. This will allow you to easily take RoboForm with you, and provides an extra level of security as the USB drive must be installed for the encrypted information to be accessible to anyone.
Are password managers still vulnerable?
Absolutely. Any computer or system is vulnerable to attack, just by its nature. And because you must use a master password for most password managers, an obvious entry point remains for all these types of services. If someone gains access to your password manager, well, then you’re wide open for attack. Also, as mentioned, password manager systems that store your information in the cloud (like LastPass) are potentially more vulnerable than those that store the data locally – but even that is not a guarantee.
That said, if you create a high-quality password as your master password, don’t keep that information stored anywhere but your brain, and make use of multi-factor authentication, then the chances of someone being able to hack you are far less than they would be without the use of a password manager, cloud-based or otherwise. Unless, of course, someone just calls up Apple and pretends to be you. If that happens, well, good luck…
This story was originally published August 6, 2012, and updated August 7, 2013.