4

So I signed into my google account to check my privacy settings. I found a Feature called "Saved Passwords" which had in it about 50 various accounts which I have signed into and clicked "Save password". An example of this is shown below:

enter image description here

As you can see from the screenshot there is a small "Eye" icon which allows you to see the password in plaintext.

So there are two problems here from what I can see;

Firstly, If I can see my password plaintext does that mean my password is being stored unhashed somewhere, perhaps on a google server? which already sets alarm bells ringing and Secondly, If someone accessed my account they would unlock a goldmine of websites and their corresponding usernames and passwords.

So my question is: Is Googles saved passwords feature secure?

User1
  • 3,041
  • 5
  • 23
  • 30
  • What's the URL? – Pacerier Jan 26 '18 at 06:31
  • 1
    Password managers can't use a one-way hash function to encrypt passwords because they have to recover the passwords so that you can use them to log in to things. That's the whole point of a password manager, while the point of salting+hashing passwords is that they *cannot* (ideally) be recovered except by a brute force attack. – mdunsmuir Feb 20 '18 at 02:56

2 Answers2

3

Came across this post:

How they work: Browsers store your passwords in encrypted databases or registry entries stored locally on your computer. If the browser has a feature to sync your data between your computers and other devices, the information is saved in its encrypted format to an online account (e.g., Google if you're using Chrome or your Firefox Sync account on Mozilla).

Security weaknesses: The biggest problem with saving your passwords in your browser is that it's not hard for someone who gains access to your computer to also access all your passwords. In Chrome, for example, you (or anyone who hacks into your computer) can just go to the browser's settings and click on the show button in the preferences tab to reveal any saved password. Internet Explorer is more secure because it doesn't let you view saved passwords, and it also doesn't sync your data across computers. Both IE and Chrome, however, use your computer login password as the cipher for the encrypted data. Because of this, it's easy for your passwords to be revealed with tools such as Nirsoft's WebBrowserPassView. If third-party utilities like this can recover the data, malware running under your user account might also be able to access the data.

Link to full article: http://lifehacker.com/5944969/which-password-manager-is-the-most-secure

3

This option is to sync your saved passwords on Google Chrome among your other devices. So your Google account would play the server role, and your passwords saves on google servers.

There are three cases when your password can be leaked:

  1. Any direct access to your google account (Gmail)
  2. Any access to your synced devices
  3. Google vulnerabilities

If configure your google account security options correctly, it's safe to use this option. However you can Turn-off this feature or just use the (local) browser save password option.

reference: Manage saved passwords

ShayanKM
  • 176
  • 4