Proton

Is Google Password Manager safe to use in 2024?

Google Chrome is the world’s most popular web browser by far, with over 3 billion users. Its built-in password manager, Google Password Manager, is its default software to create and store passwords for websites and services.

Although convenient for Chrome users, Google Password Manager is not the safest option for several important reasons. We’ve identified several problems that should rule out Google’s password manager as a safe place for your login credentials.

  • Google offers little transparency about how the company secures your credentials. The platform’s code is not open source, so there’s no way to verify whether your data is really secure.
  • Your passwords are only accessible in Google Chrome. By locking you into the platform, Google can see the websites you visit, search terms, and other information about you.
  • In 2024, Google caused several security incidents(new window) for its own users as a result of poor infrastructure management: users lost access to their passwords and Windows users were left vulnerable to multiple exploits using Google Share.
  • The service lacks key features of modern password managers, including password generator customization, built-in two-factor codes, vaults, and secure password sharing.
  • There’s also a possibility of losing all your passwords. This can happen surprisingly easily if Google disables your account for violating its terms of service on any Google platform.

This article examines each of these concerns in more detail. While Google Password Manager may be convenient for some people, it is a clear case of trading convenience for security. This tradeoff is unnecessary because more secure password managers exist.

What is Google Password Manager
How does Google Password Manager work?
We can’t verify Google Password Manager is secure
Google Password Manager helps the company spy on you
You may lose all your passwords
It lacks important features
Choose a more secure password manager
FAQ

What is Google Password Manager?

Google Password Manager is the company’s default password storage service. It lets you:

  • Accept automatically suggested passwords when creating a new account or resetting your old password
  • Save login credentials for your accounts
  • Autofill usernames and passwords when you visit one of your accounts

How does Google Password Manager work?

To access Google Password Manager, log in to your Google Account in Chrome. Once you’re logged in, the service will offer to save and generate usernames and passwords for your online accounts.

In a Chrome window, you can access passwords by clicking or tapping the three dots menu. You’ll find a dropdown where you can select Google Password Manager to go to a list of services where you’ve allowed Google to save passwords.

Google Password Manager generates randomized passwords for you at your request when you register at a new website. The service saves these passwords and autofills them when you log in later.

You’ll need to log in to your Google Account through your Chrome browser to see your saved passwords. Google promises to encrypt your usernames and passwords on your device before they are sent to Google’s servers, so the company never has access to your login data.

You can additionally enable on-device encryption, which seems to add an extra layer of encryption by securing your usernames and passwords on your device using your device’s password and/or biometric ID (such as a fingerprint or Face ID).

(Google does not appear to have published a technical description of its encryption architecture, so it’s difficult to know how Chrome actually secures your data. But according to one customer support article(new window), the data is end-to-end encrypted.)

If you have on-device encryption set up, you’ll see a screen similar to this before you can read individual passwords:

Security and privacy concerns with Google Password Manager

Google Password Manager is not the best service for keeping your passwords safe. From unclear security standards to poor usability to privacy concerns, Google Password Manager does not meet the most basic requirements for a trustworthy service.

We can’t verify Google Password Manager is secure

Trustworthy data security companies typically inform you about how they encrypt your data and the strength of their encryption standards. But Google uses closed-source code and offers no public description of its security architecture. We were also unable to find any indication Google Password Manager has undergone an independent security audit.

While Google assures(new window) that only you can read the passwords you set and store with its password manager, there is no way to verify this claim.

This kind of secrecy is always a red flag. As quantum computing and new forms of encryption threaten to change the security paradigm, Google’s “security by obscurity” approach will become even more dangerous to users. The company is not immune from security lapses, such as when it was revealed Google stored G Suite users’ passwords in plaintext(new window).

A good password manager must follow industry standards and hold up to academic scrutiny, which requires operating in the open. Open-source code allows independent experts to verify the developers’ security claims and ensure the encryption is implemented safely. Open-source password managers are always updating and improving based on public feedback.

Recent security events aren’t promising

In July 2024, an update to Google Password Manager left between 15 and 17 million users (new window)unable to access or save passwords. The event lasted nearly 18 hours and affected Chrome web browser users around the world. Google noted on its app status dashboard(new window) that the incident was caused by a “change in product behavior without proper feature guard”. 


This wasn’t Google’s only incident. Again in July 2024, SafeBreach, a cybersecurity firm, discovered that attackers had been able to wirelessly add malware(new window) to their victim’s PCs using 10 bugs in Google’s Quick Share for Windows. Using this exploit, the attackers could then run code remotely on the victim’s device and potentially take it over.

Google Password Manager helps the company spy on you

A password manager is supposed to help you protect your identity. But Google Password Manager seems designed to lock your identity further inside the Google surveillance ecosystem.

While other password managers provide separate apps and programs you can use across different devices and operating systems, Google’s password manager requires you to log in to Chrome to access your credentials. Google relies on logged-in users to obtain private information about their behaviors and interests.

When you use Chrome while logged in to your account, the company can see what websites you visit and when. It can also see what you search for in Google and associate that information with the detailed profile it creates about you for purposes of targeted advertising. 

In this way, Google Password Manager is just one more tool the company uses to control your digital identity(new window) and profit from your data.

You may lose all your passwords

When you use a password manager, you expect to be able to access your passwords and other data forever. But with Google Password Manager, you could suddenly find yourself locked out of your own data.

Google can disable your account(new window) if the company determines you have violated its terms of service on any of its products, from YouTube to Gmail. Even if your alleged violation takes place outside of Google Password Manager or Chrome, you will still lose access to your passwords. You can appeal Google’s decision, but there are many stories(new window) of these applications leading nowhere. While this can also happen on other services, Google’s reach and impersonal customer support increase your risks.

As with all Google services, your data doesn’t really belong to you. Your identity is a product that Google rents to advertisers. 

It lacks important features

Google Password Manager is a bare-bones service. For example, there’s no built-in two-factor authentication feature, no encrypted vault functionality, no hide-my-email aliases, no ability to share your passwords with others securely, and no standalone apps.

What’s more, Google Password Manager’s password generator only creates strings of 15 characters chosen randomly. Other password managers will let you customize the length beyond 15 and modify the mix of characters included. Some also allow you to generate a passphrase, which can be more secure than a password(new window) because it contains greater entropy. 

Because of these restrictions, Google limits your ability to adjust the security of your passwords.

Choose a more secure password manager

Your password manager should be transparent about how it works and primarily focused on protecting your security and privacy. These are the minimum qualifications that Google fails to offer.  In 2024, when large scale cyberattacks targeting passwords are frequent(new window), this isn’t good enough.

But simply protecting your passwords isn’t enough, either. Login credentials are the key to your online identity, which is really what you’re protecting. You can always change a password, but you can’t easily change your email address or the unique behaviors and interests that Google compiles about you.

We created Proton Pass to be more than just a password manager — it’s also an identity manager. We do this through features like hide-my-email aliases, which generates unique email aliases to keep your true email address safe from hackers and spam. Phishing(new window) is the biggest threat to your account security, so keeping your real email address private is essential.

Proton Pass is transparent about how our encryption works(new window). Our code is open source(new window) and regularly audited by independent security professionals, meaning anyone can verify our code functions the way we claim or read an expert’s assessment of it.

Proton Pass’s password generator gives you more control by letting you customize your password or passphrase character length and the types of characters. However strong your password is, it will not protect you if it’s ever exposed through attacks like phishing or keyloggers. So we’ve also built a two-factor authenticator directly into Pass, allowing you to easily add a second layer of protection to each of your accounts.

Unlike Google Password Manager, we offer standalone apps for iPhones and Android devices and extensions for the browser of your choice so that you can access your data anywhere. You are not locked into Google’s platform, where your privacy is at risk. You can easily share logins and other sensitive information with friends, family, or colleagues securely using secure links.

With Proton Pass, you also have the added reassurance of battle-tested end-to-end encryption(new window) that protects all your data, not just passwords. We fully encrypt all metadata, usernames, web addresses, and all data contained in the encrypted notes section on your device so that not even Proton can access it.

What’s more, Proton Pass is the most feature-rich free password manager on the market. With the free plan, you get:

  • Protection for unlimited devices
  • Unlimited logins and notes
  • Up to 10 hide-my-email aliases

With Proton, we put your privacy first because you’re the customer, not the product. We earn money by offering paid subscriptions with extra features. However, Google’s business model is based on collecting and using your data to build a detailed profile of your interests and behaviors for targeted advertising. This surveillance-based business model is inevitably at odds with protecting your privacy. This

Fortunately, it’s easy to switch away from Big Tech and take back control of your data. If you already use Google Password Manager, you can securely import passwords from Chrome to Proton Pass. If you’re ready to leave Google entirely, it’s also easy to migrate other data to Proton Mail, Proton Calendar, and our other end-to-end encrypted products.

Check out the Proton Pass plans here or deGoogle your life for just $1.

FAQ

Should I keep my passwords in Google?

Keeping your passwords in Google is quick and convenient, but there are better places to store them. Consider looking for a password manager with clear encryption standards and two-factor authentication across multiple devices.

Can Google Chrome passwords be hacked?

Any software can be hacked. That’s why it’s important to choose a password manager that uses proven encryption standards, open-source code, and puts privacy and security as its top priority.

Is it safe to let Google Chrome save and remember passwords?

Google Chrome’s password manager is closed source, and the company has not published any description of its security architecture. Therefore, verifying whether Google Password Manager is safe to use is very difficult.

What are hide-my-email aliases?

Proton Pass creates randomly generated email addresses that forward emails to your main inbox. This protects your true identity in online forms and helps protect you from phishing attacks and spam.

What is two-factor authentication?

Two-factor authentication, or 2FA, is a second layer of security to protect your accounts. When enabled, 2FA requires a second piece of information (such as a one-time code) in addition to a password to access your account. Proton Pass has a 2FA authenticator built in, so you can quickly autofill 2FA codes.

What is a vault in a password manager?

Vaults let you categorize login credentials into groups that you can then share securely with friends, family, or colleagues.

Protect your passwords
Create a free account

Related articles

A cover image for a blog describing the next six months of Proton Pass development which shows a laptop screen with a Gantt chart
Take a look at the upcoming features and improvements coming to Proton Pass over the next several months.
The Danish mermaid and the Dutch parliament building behind a politician and an unlocked phone
We searched the dark web for Danish, Dutch, and Luxembourgish politicians’ official email addresses. In Denmark, over 40% had been exposed.
Infostealers: What they are, how they work, and how to protect yourself
Discover insights about what infostealers are, where your stolen information goes, and ways to protect yourself.
Mockup of the Proton Pass app and text that reads "Pass Lifetime: Pay once, access forever"
Learn more about our exclusive Pass + SimpleLogin Lifetime offer. Pay once and enjoy premium password manager features for life.
A cover image for a blog announcing that Pass Plus will now include premium SimpleLogin features
We're changing the price of new Pass Plus subscriptions, which now includes access to SimpleLogin premium features.
Infinity symbol in purple with the words "Call for submissions" and "Proton Lifetime Fundraiser 7th Edition"
It’s time to choose the organizations we should support for the 2024 edition of our annual charity fundraiser.