The ever-popular browser Google Chrome turned 10 years old this month, and with that anniversary the Google team announced a bevy of new changes in the latest release – from a new look to behind-the-scenes functionality tweaks.
Here at Naked Security we’re most interested in the security-related update that the new version of Chrome now offers: an in-browser Chrome-native password generator and manager.
Yes, Google products have been offering to store passwords for their users for some time now via Google Password Vault – and for that matter, most browsers have been offering their own native password manager features too (in addition to the many third-party password managers that integrate into the browser of your choice).
Combined password manager and generator
The new wrinkle here is that Chrome will now generate a unique password for the user as a part of the everyday credential creation process.
That generated password will be stored in the cloud-based Google Password Vault, meaning it will be available to that same logged-in Chrome user across their devices.
As you can see in the images below, there’s no add-ons or third-party app required here, and the browser password generation looks very similar to form-fill technology that browser users are already quite used to:
Chrome is by no means the only browser with this capability. We’ve previously covered how Apple’s Safari browser will be offering similar functionality in the upcoming iOS 12 release, which should be out this month.
So it seems like in-browser password management and generation are well on their way, if not already here. Hooray, right?
Generally speaking, the fewer barriers between users and the creation of more secure, unique passwords, the better. However, depending on your point of view, there may be caveats.
For those who already have the desire and ability to use a password manager – which is likely to be most Naked Security readers – the fundamental question is whether or not they will prefer to entrust their passwords to a massive company like Google or Apple, a third-party password manager like 1Password or LastPass, or use a homegrown solution, like a personal algorithm.
There’s certainly an argument for keeping passwords out of the cloud, a browser, or a big company that already knows a ton about you, like Google or Apple. Putting all your browsing and password information in one place may be a risk that not everyone wants to take – not everyone wants all their eggs in Google’s basket, so to speak.
And certainly, there are many people that never want their password vault stored on the internet, regardless if it’s via a browser password manager or a cloud app. For those folks, an in-browser password generator and manager understandably holds little appeal.
A convenient tool?
On the other hand, though many of us know what good password hygiene is, why it matters, and how to use a password manager, there are just as many – if not more – who don’t.
Then there are those who know it is important, but still don’t bother with it – a refrain we often hear is that people know strong, unique passwords matter, but it’s such a pain to find yet another piece of tech to help with this (let alone set it up and learn to use it).
In this case, a built-in password generator and manager within the browser offers a distinct advantage: Most people are very comfortable with how their browser works, and if the browser offers oh-so-helpfully to take care of yet another internet annoyance (making and remembering all those pesky passwords), it’s one less thing to worry about.
What do you think? Does an in-browser password generator and browser appeal to you? If you’re a Chrome user, will you be using Google’s password vault or are you sticking to a different option?
Iggy
Is there more of a story to this? Or is this just a PSA?
Mahhn
Entrust your entire life to The google. The google knows; what you want, where to take you, your passwords, your pizza, just sit back and let google live for you. Sleep, sleep, The google is in your house, your car, it hears your every word, don’t think just consume, c o n s u m e…..
Yeah, I’m gona pass on this trust thing, I mean, if they had a motto like “don’t be evil” maybe, but they don’t.
Ken
While this is an improvement to the Chrome password manager, I still don’t feel confident in the idea of using a browser’s password manager, so I will stick to my new favourite password mananager, Bitwarden. I like the extra level of security that using a separate password manager app offers, plus it offers family and team features that Chrome doesn’t have. It can also be used with other browsers, not just Chrome. I have also seen it written online that browser password vaults just aren’t safe enough. I don’t know if there’s credibility to that statement, so maybe that would be a good topic for a future post. Can we trust in-browser password vaults, or am I just being overly paranoid?
ve1arn
No appeal to me whatsoever. I use Keypass and am quite happy with it on my own system.
alt064
Nope… but, I’m one of the paranoid ones. And I don’t intend to lock my browser to one company, particularly not one of google, facebook or apple. I may use opera, IE or chrome on any given device or day. I use a password manager with a suitable master password and store a copy in the cloud to link passwords across devices. It’s a compromise, premised on trusting the password manager in question vs the disadvantage of using somewhat predictable password patterns that work in my aging brain!
Jim
I do not trust Google to walk my dog. They are not rolling out password generator from their kind heart.
Pingu
Presumably an in-browser password vault (such as google’s) will not work on other browsers – unlike an addin (such as LastPass).
Sometimes you want to have different browsers available.
I am not willing to go all-in with google (actually trying to go the other way!)
34a71bW1
On the surface for most computer users this would e]seem to be a benefit as it requires no other software or management by the user. I, however, do not plan to use the password generation feature.
IMO, a sufficiently strong Google password that is changed periodically should be enough to secure whatever other credentials Google stores through Chrome, or the entire Google password storage system is questionable.
To me the weak link in the email/password credential system has always been the email address. Every email correspondent has part of the information needed to sign into every site where that address is used. Many suites use an email address as the username. When sign-in names are required, most users use the same username for every site. All Google is adding to security is a unique password per site.
I have no confidence that Google’s “random” password generation is complex. The majority of websites, DO NOT SUPPORT complex passwords using symbols, and virtually all are limited to 20 characters. To work efficiently, the “unique” password will need to be limited to letters and numerals. Even when extended to 20 characters, this is a simple password by modern standards.
I also have doubts that the password generation algorithm will be random, not vulnerable to reverse engineering or being opened through an intentional backdoor.
Until google can get the cost of a token key down to an affordable level, I’ll stick to what I’ve been doing. I don’t use the same email account with every website. When usernames are permitted, the username is not the email prefix,and unique per site, I assign a different complex password per site. When symbols are not permitted in a site’s passwords, I use a different algorithm is used.
GaryZ
Why no mention on what “rules” can be set? Most sites have rules for passwords that must be followed. 2 numbers, begin and end in alpha, contain at least one special character, between 6-12 characters long. And they are all different!
Bryan
I once disliked Chrome for its differences, sticking with Firefox like a dinosaur and reveling in the nostalgia of how v.1.7 put IE6 to shame in many ways. I switched (long) after Firefox became a bloated memory hog–and now Chrome (and Chromium) is my preferred browser by a mile. Even with the less-appealing aspects of Google, I use it daily and even let it save a few passwds.
However, I still don’t care at all for the idea of “signing into” Chrome, and the default behavior of Chrome’s “new tab” precisely resembling my Gmail login is irritating.
No thanks; I’m perfectly capable of exporting bookmarks once in a while if needed; I’d likely consider using Chrome’s password manager if it could work otherwise.
I hadn’t really thought before about where I’d mark my line in the sand.
I suppose it’s right here.
Bryan
update:
It’s just a bit nearer than I thought.
https://nakedsecurity.sophos.com/2018/09/25/users-fret-over-chrome-auto-login-change/
Dangit, changing your main browser is a PITA.
My prior comment was made in Chrome. This one is not…
Anonymous
Congratulations sophos for catching on with the rest of the world. I’ve been using this feature for a while now, how is that a news, did I miss something?
Randy Vanderpool
I think it is a great idea, but I use Lastpass.
Jay
Censured….Thanks!
hanysalem
Of course, in-browessr PW generator will save me the trouble of remembering a PW that was created few weeks ago. Many websites require a user name and password. Considering the many websites I need to register to get access to the full service, remembering and keeping paswards wiĺl become a troublesome issue.
Entrusting our information to the big company us the issue.
Bentham
It’s optional now
How long until Google make it a feature you have to opt-out of before later making it a compulsory feature of Chrome use (sign in to the Chrome PW manager to access the Internet)?
Sort of like https – but less benign?
Some countries might then legislate that you must use such a system (and of course it must have a backdoor for the likes of NSA etc.)
Your Google single sign-in is then the keys to the kingdom – your passwords, your browsing history, your heavily “personalised” browsing experience etc, etc.
GGma
So Google, a data collector, will generate passwords and then store them safely…what will prevent Google from giving/selling our private passwords?? It has not done anything to secure our private info in the past…whay should I trust Google to do the right thing now?? Nope, no trust here for Google!