Google has improved the password management built into the Chrome browser. It’s . . . okay! Not bad! Better than nothing, absolutely. Saving passwords in Chrome is easy and kind of secure, as long as you take a couple of precautions that we’ll talk about below.
First, to be clear: everyone should use LastPass or another full-fledged password manager. The important reason is that LastPass is more secure – and this is an extraordinarily dangerous time to be online. You will probably also find an extra feature that makes a password manager a better choice; maybe it will be sharing passwords with family members, or using the LastPass app on a phone, or storing other secure information about drivers licenses or passports.
But I know some of you won’t use LastPass. It’s a little complicated to get started. It only works if it becomes a habit, and it’s hard to change our habits. Don’t worry, I’m not judging you, at least as far as you know. Let’s look at what Chrome can do to help you with passwords.
All of you have seen the window in the above screen shot: “Do you want Google Chrome to save your password for this site?” There is a password manager built into Chrome. It’s been there for years. It does some of the same things as any password manager: it offers to save passwords for websites when you sign in for the first time, and it tries to automatically fill in the password when you return to the site.
Chrome has handled passwords in a mediocre and uninteresting way for several years, not very helpful but not bad enough to warn you about.
Now, though, Google has added a feature that is genuinely helpful. If you’re not going to use LastPass, then you should know what Chrome can do to keep you safe.
When you create a new account on a website, Chrome will now automatically suggest a complex, unique password. This is a big deal! It will help you get started on the process of trusting your password manager and not using the same password everywhere.
If you are logged into your Google account when you use Chrome (and you probably are), then Google has also made it easier to access your saved passwords by adding it to the dropdown menu when you click the account icon in the upper right corner. (You can also click on Settings / Passwords, or type in chrome://settings/passwords.) It’s optional but convenient to sync your passwords online, so they’re stored in your Google account and can be accessed from other devices.
When you look up your saved passwords, Google has increased security by requiring the Google account password to be entered again before a password can be displayed. Once you’ve done that, you can look up passwords and copy/paste them into websites.
Chrome is limited as a password manager: it’s not meant to be used for anything besides website passwords, and it’s a bit clumsy to look up a password on phones. (The LastPass app is far better on a phone. It’s easy to look up a password in the app. Sometimes the app can pull up a site and automatically fill in the password. It’s also supposed to pop up and offer to fill in passwords on apps, but that’s pretty sketchy so far.)
So Chrome’s password manager can save passwords and fill them in automatically, and now it helps you use secure passwords. What could go wrong?
How to be safe using Chrome’s password manager
Fiercely guard your Google account password
Before we get to passwords, surely you already have in mind that Google knows everything about you. It knows what websites you’ve visited, it knows where you’ve been in the real world thanks to Android and Google Maps, it knows who your friends are thanks to Google Photos. All of that information is readily available if you log in to your Google account. You already have good reason to treat the password for your Google account as if it’s a state secret.
But now the stakes are higher. You’re trusting Google with the passwords that protect the rest of your life – your bank, your shopping, your travel, your private life.
If someone learns or guesses your Google account password, you are completely compromised. The password has to be complex and unique. You have to treat your Google account password with the same care as a LastPass user. Perhaps more so, because it’s easier to reset a Google account password.
If your passwords are saved in Chrome, you should strongly consider using two-factor authentication to log into your Google account. I’ll talk about that in the next article.
Start locking your Windows computer when you walk away
Hold down the Windows key and hit the letter “L”. You’ll lock the computer so that no one can use it without a password. Your programs will stay open, so it’s not the same as tidying up and logging out. If you use a computer at work where someone else might have access to it, get in the habit of locking it every time you stand up. Your Chrome browser keeps you logged in to your Google account for convenience, so if it’s not locked anyone with access to the computer can walk up and see all the information stored in your Google account with no difficulty. They might not get your passwords if they don’t know the password to the Google account, but frankly, I’m not completely sure of that and I don’t want any mistakes.
Locking your Windows computer is a good habit in general, to prevent unauthorized access to your mail, your files, and all the other things that you can get to from your desk. Your Google account is becoming one of the most important things to protect, so let’s choose that as the reason to begin hitting Windows key + L regularly.
If you’re a LastPass user, turn off Chrome password management
There’s no reason to have Chrome collecting passwords if you’re using LastPass. You can import saved passwords from Chrome into LastPass – on the LastPass menu or in the Vault, click on Settings / More Options / Advanced / Import. Then open up chrome://settings/passwords and turn off “Offer to save passwords.”
Security matters more than ever. Protect your passwords, protect your Google account, protect your Windows computer, and be careful out there!