What issues are there with Google's "Suggest Password" feature in Chrome?

Question

I have for a long time used a fairly insecure method of having a series of different passwords - where I would use the same password on many sites. I would change between one of the series of passwords for random(ish) reasons and I would store which password I was using at which site in a text file by using a cipher to tell me which of the 6 or so passwords this particular site used. One additional slight positive movement towards being more secure - I use a unique email address at each website I register on.

I am wanting to improve my password security - after all I do have a LinkedIN account, and some others that at times have been compromised, according to pwned

I started by choosing a new set of passwords and began changing some of my accounts. Then realised this would just take me back to where I had been. So I thought about it for a little bit, and have now started using the Chrome "suggest passwords" feature. I have since done a bit more thinking - and figured I should actually evaluate if the Chrome/ Google Password Management is adequate.

This seems fairly secure - and I can't see any password until I enter a password for the device I am using. That gives me some degree of confidence about how secure the Chrome platform is.

My basic requirements for a p/w manager are:

1. Secure
2. Online Sync (I use more than 3 devices Every. Single. Day. sigh)
3. Able to view the passwords at my discretion. This can be done on my phone. (I will sometimes be at a new device and NEED to use a specific password. This can be up to 2 -3 times per week)
4. Ideally Free (Open or Closed Source is fine)

So while advice is welcomed, my specific question is this: "Is Chrome's password management a reasonably level of security, assuming that I protect all of my devices that have Chrome installed and synched to my account?"

I have seen these 2 answers here:

How Secure is Googles Saved Password feature?

Retreiving Google Chrome passwords

The 1st seems to indicate if someone gets into your gmail account - your passwords are an open book.

The 2nd seems to indicate if someone obtains physical access to your windows or macos or linux device, they have a reasonably good chance of being able to brute force their way in to your store.

Are both of these concerns correct?

And what other concerns should I have about using Chrome as a password manager?

Answer 1

First of all, StackExchange is not a place for product recommendations. There are plenty of password managers, both free and paid, that can be found on the internet. I want to focus specifically on the password storage functionality of Google as you asked.

I want to give a compliment to you recognizing your security can be improved, which is also core to your question: The Google password storage is better then your current method (based on the CIA triad) because of the following:

• Your passwords are encrypted (confidentiality)
• You have online access and synchronized access to your passwords (availability)
• Google Password Storage has better options to monitor changes to your passwords (integrity)

The Google password storage has everything you were looking for in the first place. It is secure, it is able to synchronize between devices, you can view passwords at your own discretion and the functionality is completely free. I think your question is more about how secure it actually is, maybe even in comparison to other password managers.

Just like with 'regular' password managers, you need a master key to access your password storage. In this case you will need access to your Google account. I would strongly advice you to use 2FA and a strong master password (length is most important) to secure your account. When you turn synchronization on, your passwords will be saved to your Google account. When you do not have synchronization on, your passwords will be saved locally.

Let me get one thing straight from one of the questions you linked: A password in a password manager is not hashed but encrypted, because of the very nature of the functionality of a password manager. You need to be able to see and use a password and therefor it cannot be hashed. This is the same for all password managers, including the Google password storage.

The other question you linked is only applicable to passwords being saved locally, something you don't have to worry about because your passwords will be saved in your Google account as mentioned above.

Although the risks explained in the answer of ShayanKM are true, your critical risk is your Google account. as long as you protect your account well enough there should not be a lot of risk in using the Google password storage compared to other password managers. The only real difference might be that you could want to prefer open source password managers, which Google password storage is not. I will leave it up to you to decide if this is important.

There are other issues that are not specific to Google, such as vulnerabilities being found in the software or not securing your device. Remember that password managers don't have to be perfect, they have to be better then not having one.