Google Chrome does not secure stored passwords: SSO Alert Priority High
16 August 2013
All saved passwords in Google Chrome vulnerable
Users of the popular web browser Google Chrome are warned that passwords (saved by the browser) are not secured properly, leading to any other user being able to view all passwords that you have saved.
Chrome will typically prompt you to save your password for a site that you visit, and remember this for future logins. While other browsers offer the option of a “master password” that can be activated to protect your passwords, Chrome does not.
On any Google Chrome browser, you can type chrome://settings/passwords into the URL bar. This will display a page listing all of the passwords held by that browser—for all users of that computer.
This is particularly concerning for shared computers. You should never save your passwords when using shared computers, such as public computers at a library or airport.
Do not rely on your browser to safely store passwords for you if someone else has physical access to that machine.
Only allow people you trust to access your computer, especially if that computer contains confidential information.
Protecting your passwords
You are advised to either:
avoid storing passwords in the Google Chrome browser
ensure you lock your computer when you’re not using it, or
use a third-party tool to manage your passwords.
Different browsers each have different approaches to password management. Firefox allows you to set a master password. By default, this is turned off, allowing anyone to view passwords stored by the browser.
To activate your master password go to:
Tools > Options > Security Tab
Safari users need to enter a system password to view their password list, while Internet Explorer does not have an option to view passwords in this way.