If you’re a person who hasn’t bothered with a password manager—though you probably should—you may be excited to hear that the updated Google Chrome 69 includes better password management, and even a password generator. Beware, though: This new feature makes it even more important to lock down Chrome itself.
Google has offered a built-in password manager since around 2015, when it began offering to store passwords within the browser as part of its Smart Lock feature. (Chrome had stored passwords even before then, though the way it had done so was considered by some to be really insecure.)
Now, however, Google takes it a step further. It offers to create a random password the first time you log into a new site, like so:
Chrome then offers to store that password within the browser. The next time you log into the site (if you allow it), Google will use that stored, randomized password to log in.
Naturally, this makes it extremely easy for Chrome users to generate “secure” passwords for each new site, because the password Chrome creates is essentially just a mishmash of numbers and letters. (It’s not clear whether Chrome will automatically generate passwords that are compliant with a site’s rules—think the "XX minimum characters, one number, one special character" rules that you’ll find on some sites—though the passwords I generated on a test site conformed.)
Be sure Chrome isn’t the weak link
The more keys you store in Chrome’s lockbox, though, the more you’ll want to ensure that Chrome itself is totally secure. First, be aware that if you store a randomized password for a site like Netflix within Chrome, you’ll still have to enter that password if you access Netflix within an app or on a streaming device that doesn’t use Chrome as an interface. Fortunately, all of your passwords should still be accessible via passwords.google.com, where you can search for the site name and reveal each individual password, then type it in.
Do so, though, and you’ll probably be amazed at the number of passwords you stored within Chrome for convenience’s sake. (Consider eliminating some of these.) To access them, you’ll first need to type in your Google account password.
It’s that master password that you’ll need to secure absolutely. Ensure it’s unique. If you choose simply to memorize it, make sure it’s a lengthy passphrase with enough randomization inside it to fool bots and spies alike. (Something like “HowN0w,Browncat?numnumtime!” is both memorable and complex.) Never save this password in a spreadsheet, or a sticky note, or in a saved email.
The passwords.google.com site asks for your Google password before divulging the master list. Be aware that if you use more than one browser, your password might be stored like any other. In Windows’ Microsoft Edge browser, for example, the Edge password manager doesn’t reveal any of the stored passwords—but if you carelessly allowed Edge to store your Google password in its master list, an attacker could log into Google’s master password list with a single click, and without knowing any of your carefully memorized passwords. Within seconds, the attacker could reveal your banking password, then close the tab and you’d be none the wiser.
(Go to Edge’s Settings > Advanced Settings > Manage passwords, then right-click a given site and click remove credential to erase these stored passwords. You can also make sure your PC locks automatically if a synced phone goes out of range through a Windows feature called Dynamic Lock: Go to Settings > Sign-in Options > Dynamic Lock.)
Convenience can weaken two-factor authentication
You’ve probably heard of two-factor authentication—combining something you know, such as a password, with something you own, like a phone. You should already have two-factor authentication turned on for your Google Account, so when you log into Google on a new PC you’ll be asked for your password, then a code will be sent to your phone via the Google Authenticator app.
Over time, though, you may be tempted to allow Google to "trust this computer," or assume that it’s you typing in your password. While you save time, you’re also robbing yourself of some of the security two-factor authentication offers.
Don’t worry, though. Within myaccount.google.com, there are controls to ensure that two-factor verification is turned on, plus a control to revoke trusted status from your logged-in devices. You won’t be able to pick—the control revokes status for all of your trusted devices. But as Chrome becomes more entrenched in securing access to your data, the idea is that you’re placing more safeguards upon it.
If two-key authentication still isn't enough, additional layers of security like the YubiKey hardware dongle have been around for half a decade or so. Many of you will opt for the convenience of leaving everything within Chrome, however.
Chrome 69 also includes such features as a reworked UI and an "omnibox" search box that will start to return results as well as auto-suggest search queries. But the upgraded password manager is the most important feature releasing in conjunction with Chrome's tenth anniversary. As the most popular PC browser by far, it’s also the one that you’ll probably be asked to use in the near future.