Google Chrome's new password manager makes securing Chrome even more important

Google's Chrome 69 includes a nifty new password manager that promises to make third-party password managers unnecessary by both generating and storing site passwords. But that makes securing Google's main password even more important.

Credit: Rob Schultz

If you’re a person who hasn’t bothered with a password manager—though you probably should—you may be excited to hear that the updated Google Chrome 69 includes better password management, and even a password generator. Beware, though: This new feature makes it even more important to lock down Chrome itself. 

Google has offered a built-in password manager since around 2015, when it began offering to store passwords within the browser as part of its Smart Lock feature. (Chrome had stored passwords even before then, though the way it had done so was considered by some to be really insecure.) 

Now, however, Google takes it a step further. It offers to create a random password the first time you log into a new site, like so:

imgur test account Mark Hachman / IDG

Sign up for a new account on a Web site and Google Chrome 69 will offer to generate a new, random password.

Chrome then offers to store that password within the browser. The next time you log into the site (if you allow it), Google will use that stored, randomized password to log in. 

Naturally, this makes it extremely easy for Chrome users to generate “secure” passwords for each new site, because the password Chrome creates is essentially just a mishmash of numbers and letters. (It’s not clear whether Chrome will automatically generate passwords that are compliant with a site’s rules—think the "XX minimum characters, one number, one special character" rules that you’ll find on some sites—though the passwords I generated on a test site conformed.)

Be sure Chrome isn’t the weak link

The more keys you store in Chrome’s lockbox, though, the more you’ll want to ensure that Chrome itself is totally secure. First, be aware that if you store a randomized password for a site like Netflix within Chrome, you’ll still have to enter that password if you access Netflix within an app or on a streaming device that doesn’t use Chrome as an interface. Fortunately, all of your passwords should still be accessible via passwords.google.com, where you can search for the site name and reveal each individual password, then type it in.

Do so, though, and you’ll probably be amazed at the number of passwords you stored within Chrome for convenience’s sake. (Consider eliminating some of these.) To access them, you’ll first need to type in your Google account password.

It’s that master password that you’ll need to secure absolutely. Ensure it’s unique. If you choose simply to memorize it, make sure it’s a lengthy passphrase with enough randomization inside it to fool bots and spies alike. (Something like “HowN0w,Browncat?numnumtime!” is both memorable and complex.) Never save this password in a spreadsheet, or a sticky note, or in a saved email.

The passwords.google.com site asks for your Google password before divulging the master list. Be aware that if you use more than one browser, your password might be stored like any other. In Windows’ Microsoft Edge browser, for example, the Edge password manager doesn’t reveal any of the stored passwords—but if you carelessly allowed Edge to store your Google password in its master list, an attacker could log into Google’s master password list with a single click, and without knowing any of your carefully memorized passwords. Within seconds, the attacker could reveal your banking password, then close the tab and you’d be none the wiser.

Windows 10 dynamic lock retry Mark Hachman / IDG

You can help lock down your PC by turning on Windows 10’s Dynamic Lock.

(Go to Edge’s Settings > Advanced Settings > Manage passwords, then right-click a given site and click remove credential to erase these stored passwords. You can also make sure your PC locks automatically if a synced phone goes out of range through a Windows feature called Dynamic Lock: Go to Settings > Sign-in Options > Dynamic Lock.)

Convenience can weaken two-factor authentication

You’ve probably heard of two-factor authentication—combining something you know, such as a password, with something you own, like a phone. You should already have two-factor authentication turned on for your Google Account, so when you log into Google on a new PC you’ll be asked for your password, then a code will be sent to your phone via the Google Authenticator app.

Over time, though, you may be tempted to allow Google to "trust this computer," or assume that it’s you typing in your password. While you save time, you’re also robbing yourself of some of the security two-factor authentication offers. 

google account two factor Mark Hachman / IDG

Google’s account controls will help you perform a security checkup, including an easy way to download the Authenticator app.

Don’t worry, though. Within myaccount.google.com, there are controls to ensure that two-factor verification is turned on, plus a control to revoke trusted status from your logged-in devices. You won’t be able to pick—the control revokes status for all of your trusted devices. But as Chrome becomes more entrenched in securing access to your data, the idea is that you’re placing more safeguards upon it. 

If two-key authentication still isn't enough, additional layers of security like the YubiKey hardware dongle have been around for half a decade or so. Many of you will opt for the convenience of leaving everything within Chrome, however. 

Chrome 69 also includes such features as a reworked UI and an "omnibox" search box that will start to return results as well as auto-suggest search queries. But the upgraded password manager is the most important feature releasing in conjunction with Chrome's tenth anniversary. As the most popular PC browser by far, it’s also the one that you’ll probably be asked to use in the near future.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Mark Hachman

PC World (US online)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?