Google Chrome is the world’s most popular web browser by far, with over 3 billion users. Its built-in password manager, Google Password Manager, is its default software to create and store passwords for websites and services.
Although convenient for Chrome users, Google Password Manager is not the safest option for several important reasons. We’ve identified several problems that should rule out Google’s password manager as a safe place for your login credentials.
- Google offers little transparency about how the company secures your credentials. The platform’s code is not open source, so there’s no way to verify whether your data is really secure.
- Your passwords are only accessible in Google Chrome. By locking you into the platform, Google can see the websites you visit, search terms, and other information about you.
- The service lacks key features of modern password managers, including password generator customization, built-in two-factor codes, vaults, and secure password sharing.
- There’s also a possibility of losing all your passwords. This can happen surprisingly easily if Google disables your account for violating its terms of service on any Google platform.
This article examines each of these concerns in more detail. While Google Password Manager may be convenient for some people, it is a clear case of trading convenience for security. This tradeoff is unnecessary because more secure password managers exist.
What is Google Password Manager
How does Google Password Manager work?
We can’t verify Google Password Manager is secure
Google Password Manager helps the company spy on you
You may lose all your passwords
It lacks important features
Choose a more secure password manager
FAQ
What is Google Password Manager?
Google Password Manager is the company’s default password storage service. It lets you:
- Accept automatically suggested passwords when creating a new account or resetting your old password
- Save login credentials for your accounts
- Autofill usernames and passwords when you visit one of your accounts
How does Google Password Manager work?
To access Google Password Manager, log in to your Google Account in Chrome. Once you’re logged in, the service will offer to save and generate usernames and passwords for your online accounts.
In a Chrome window, you can access passwords by clicking or tapping the three dots menu. You’ll find a dropdown where you can select Google Password Manager to go to a list of services where you’ve allowed Google to save passwords.
Google Password Manager generates randomized passwords for you at your request when you register at a new website. The service saves these passwords and autofills them when you log in later.
You’ll need to log in to your Google Account through your Chrome browser to see your saved passwords. Google promises to encrypt your usernames and passwords on your device before they are sent to Google’s servers, so the company never has access to your login data.
You can additionally enable on-device encryption, which seems to add an extra layer of encryption by securing your usernames and passwords on your device using your device’s password and/or biometric ID (such as a fingerprint or Face ID).
(Google does not appear to have published a technical description of its encryption architecture, so it’s difficult to know how Chrome actually secures your data. But according to one customer support article(new window), the data is end-to-end encrypted.)
If you have on-device encryption set up, you’ll see a screen similar to this before you can read individual passwords:
Security and privacy concerns with Google Password Manager
Google Password Manager is not the best service for keeping your passwords safe. From unclear security standards to poor usability to privacy concerns, Google Password Manager does not meet the most basic requirements for a trustworthy service.
We can’t verify Google Password Manager is secure
Trustworthy data security companies typically inform you about how they encrypt your data and the strength of their encryption standards. But Google uses closed-source code and offers no public description of its security architecture. We were also unable to find any indication Google Password Manager has undergone an independent security audit.
While Google assures(new window) that only you can read the passwords you set and store with its password manager, there is no way to verify this claim.
This kind of secrecy is always a red flag. As quantum computing and new forms of encryption threaten to change the security paradigm, Google’s “security by obscurity” approach will become even more dangerous to users. The company is not immune from security lapses, such as when it was revealed Google stored G Suite users’ passwords in plaintext(new window).
A good password manager must follow industry standards and hold up to academic scrutiny, which requires operating in the open. Open-source code allows independent experts to verify the developers’ security claims and ensure the encryption is implemented safely. Open-source password managers are always updating and improving based on public feedback.
Google Password Manager helps the company spy on you
A password manager is supposed to help you protect your identity. But Google Password Manager seems designed to lock your identity further inside the Google surveillance ecosystem.
While other password managers provide separate apps and programs you can use across different devices and operating systems, Google’s password manager requires you to log in to Chrome to access your credentials. Google relies on logged-in users to obtain private information about their behaviors and interests.
When you use Chrome while logged in to your account, the company can see what websites you visit and when. It can also see what you search for in Google and associate that information with the detailed profile it creates about you for purposes of targeted advertising.
In this way, Google Password Manager is just one more tool the company uses to control your digital identity(new window) and profit from your data.
You may lose all your passwords
When you use a password manager, you expect to be able to access your passwords and other data forever. But with Google Password Manager, you could suddenly find yourself locked out of your own data.
Google can disable your account(new window) if the company determines you have violated its terms of service on any of its products, from YouTube to Gmail. Even if your alleged violation takes place outside of Google Password Manager or Chrome, you will still lose access to your passwords. You can appeal Google’s decision, but there are many stories(new window) of these applications leading nowhere. While this can also happen on other services, Google’s reach and impersonal customer support increase your risks.
As with all Google services, your data doesn’t really belong to you. Your identity is a product that Google rents to advertisers.
It lacks important features
Google Password Manager is a bare-bones service. For example, there’s no built-in two-factor authentication feature, no encrypted vault functionality, no hide-my-email aliases, no ability to share your passwords with others securely, and no standalone apps.
What’s more, Google Password Manager’s password generator only creates strings of 15 characters chosen randomly. Other password managers will let you customize the length beyond 15 and modify the mix of characters included. Some also allow you to generate a passphrase, which can be more secure than a password(new window) because it contains greater entropy.
Because of these restrictions, Google limits your ability to adjust the security of your passwords.
Choose a more secure password manager
Your password manager should be transparent about how it works and primarily focused on protecting your security and privacy. These are the minimum qualifications that Google fails to offer.
But simply protecting your passwords isn’t enough, either. Login credentials are the key to your online identity, which is really what you’re protecting. You can always change a password, but you can’t easily change your email address or the unique behaviors and interests that Google compiles about you.
We created Proton Pass to be more than just a password manager — it’s also an identity manager. We do this through features like hide-my-email aliases, which generates unique email aliases to keep your true email address safe from hackers and spam. Phishing(new window) is the biggest threat to your account security, so keeping your real email address private is essential.
Proton Pass is transparent about how our encryption works(new window). Our code is open source(new window) and regularly audited by independent security professionals, meaning anyone can verify our code functions the way we claim or read an expert’s assessment of it.
Proton Pass’s password generator gives you more control by letting you customize your password or passphrase character length and the types of characters. However strong your password is, it will not protect you if it’s ever exposed through attacks like phishing or keyloggers. So we’ve also built a two-factor authenticator directly into Pass, allowing you to easily add a second layer of protection to each of your accounts.
Unlike Google Password Manager, we offer standalone apps for iPhones and Android devices and extensions for the browser of your choice so that you can access your data anywhere. You are not locked into Google’s platform, where your privacy is at risk. Soon you’ll also be able to share logins and other sensitive information securely with friends, family, or colleagues.
With Proton Pass, you also have the added reassurance of battle-tested end-to-end encryption(new window) that protects all your data, not just passwords. We fully encrypt all metadata, usernames, web addresses, and all data contained in the encrypted notes section on your device so that not even Proton can access it.
What’s more, Proton Pass is the most feature-rich free password manager on the market. With the free plan, you get:
- Protection for unlimited devices
- Unlimited logins and notes
- Up to 10 hide-my-email aliases
With Proton, we put your privacy first because you’re the customer, not the product. We earn money by offering paid subscriptions with extra features. However, Google’s business model is based on collecting and using your data to build a detailed profile of your interests and behaviors for targeted advertising. This surveillance-based business model is inevitably at odds with protecting your privacy.
Fortunately, it’s easy to switch away from Big Tech and take back control of your data. If you already use Google Password Manager, you can securely import passwords from Chrome to Proton Pass. It’s also easy to migrate other data to Proton Mail, Proton Calendar, and our other end-to-end encrypted products.
Check out the Proton Pass plans here.
FAQ
Keeping your passwords in Google is quick and convenient, but there are better places to store them. Consider looking for a password manager with clear encryption standards and two-factor authentication across multiple devices.
Any software can be hacked. That’s why it’s important to choose a password manager that uses proven encryption standards, open-source code, and puts privacy and security as its top priority.
Google Chrome’s password manager is closed source, and the company has not published any description of its security architecture. Therefore, verifying whether Google Password Manager is safe to use is very difficult.
Proton Pass creates randomly generated email addresses that forward emails to your main inbox. This protects your true identity in online forms and helps protect you from phishing attacks and spam.
Two-factor authentication, or 2FA, is a second layer of security to protect your accounts. When enabled, 2FA requires a second piece of information (such as a one-time code) in addition to a password to access your account. Proton Pass has a 2FA authenticator built in, so you can quickly autofill 2FA codes.
Vaults let you categorize login credentials into groups that you can then share securely with friends, family, or colleagues.
