Saving Passwords in Google Chrome is Risky Business – Don’t Do It

Saving Passwords in Google Chrome is Risky Business – Don’t Do It

We know this is a dead horse, but we’re going to beat it anyway. Why? Because we can never stress enough how important it is to keep your data out of the hands of cybercriminals. Listen closely:

DON’T LET CHROME OR ANY OTHER BROWSER SAVE YOUR PASSWORDS!

Is it convenient? Yes. Does it save you from having to type in passwords? Yes. Does it put your company in jeopardy? Yes. And here’s why. Anyone who has access to your computer – either remote or physical – can view your passwords. “But doesn’t one have to know the master password to gain access to all the saved passwords,” you ask. Nope.

Anyone With Access to Your Computer Can See Your Saved Passwords

In fact, it doesn’t take any hacking skills whatsoever to see a password. In Chrome, for instance, you can follow these steps to reveal a password:

  • On the login page of a website, right-click the password field on a website.
  • Select Inspect Element.
  • Double-click on type="password", and replace password with text.
  • Hit Enter, and close the Element Inspector.
  • The password will be revealed for all to see.

Some websites even provide you with the handy eye icon to reveal your password.

You have to remember that browsers are not meant to be password managers. Google is not a security company – it is a for-profit company whose product is your data. The password manager in Chrome is just a feature meant more for convenience – not security.

Just Stop it. Now.

If Google is the only place you store your passwords, we urge you to discontinue the habit of allowing Chrome to save your passwords and to use a password manager from a credible security company. You will need to remove the saved passwords from Google by clicking on the three dots next to each saved password and choosing Remove. You can extract your passwords from Google by following these steps:

  • Click on the three dots to the right of your avatar
  • Select Settings
  • Under “Autofill” click Passwords – here you can also disable the prompt from Chrome to save your passwords and Auto Sign-in.
  • Select the three dots to the right of Saved Passwords and select Export Passwords

  • You’ll be prompted to enter your Windows password
  • Click OK
  • Your usernames and passwords will download to an Excel file

After entering your passwords in your new password manager, you’ll want to delete that Excel file permanently from your computer.

What to Do

A business-grade password manager will eliminate the frustration and headaches you and your employees experience when trying to create and remember complex passwords. This becomes an even bigger problem when several staff members need to use shared login credentials for a site. If that website requires that the password be changed often for security purposes, tracking down the person who has the most current password can be a real hassle for others who need to log in. Password managers or vaults have central databases that are both secure and compliant.

Our Top Recommendations for Password Vaults

Thycotic Secret Server. Secret Server is a web-based application, which can be installed on your network and accessed via any platform. It is ideal for teams and allows for the storage of privileged credentials in a military-grade encrypted centralized vault. It’s simple to use with a copy/paste function that allows you to quickly login to web accounts.

Passwordstate by Click Studios. Passwordstate is an on-premises, web-based solution for enterprise password management, where teams of people can access and share sensitive password resources. Role-based administration and end-to-end event auditing provide a secure platform for password storage and collaboration. Features such as 256bit AES data encryption, code obfuscation and enterprise scalability make it MIS’s enterprise password manager of choice.

LastPass (for single users). LastPass offers a business and team product but it does not compare well to either Secret Server or Passwordstate. It’s important to note that with LastPass, your passwords are kept offsite but it is a practical solution for single users and is a much better option than saving passwords in a browser.

Again, we cannot stress how important it is for you to protect your company’s valuable data by demanding that your employees use strong passwords and incorporate the use of a recognized and respected password vault. You can read more about creating strong passwords HERE. Don’t make it easy for criminals to destroy your business.

If you have questions, please call your account manager or get in touch with us at 678-745-5109.