chrome revisited

In my last post I talked about switching to Google Chrome. One thing I didn't mention though was its password manager.

I can't talk about password management in Internet Explorer because I don't use that program for anything but updating windows. I do use the password manager in Firefox though so let's talk about that and password managers in general.

Although you can get password managers that run as stand alone programs, most people need to manage passwords for various accounts on the web so it's much more convenient when your web browser provides this functionality. Whenever you enter a password on a web page with Firefox, you will be prompted to have your password remembered for next time. You can also have Firefox show you your stored passwords which can be handy too.

Now, here are some rules about passwords and how a password manager can help.

1. Passwords should be as long as possible, use more than just alpha-numeric characters and not be composed of words you will find in the dictionary. Since a password manager will remember the password for you, you can use really complicated but secure passwords.
2. You shouldn't use the same password for more than one account/website. Again, since your password manager is doing the password memorizing, go nuts.
3. Passwords should be changed regularly. Sounds like a job for a password manager.
4. The last rule is important. Passwords should be kept secret. Firefox offers the option of setting a master password. This does a couple of things for you. First, it allows the password manager to encrypt your passwords so that if anyone ever gets access to your stored passwords, they won't be able to read them. Secondly, if anyone has access to your computer and runs Firefox, they won't be able to use the passwords you stored without knowing your master password.

The last rule seemed to be a problem with Chrome. Chrome's password manager does not offer the option of setting a master password. Bad. And without a master password, there is no reasonably secure way for the password manager to encrypt your passwords. Very Bad. Google is usually pretty good about things like this so I decided some investigation was in order.

The first thing I did was do a search for "google chrome master password" and one of the early hits leads to a google message board where there is a lengthy discussion about the lack of a master password. It looks like there may be some plan to add such a feature but I couldn't discern anything concrete.

Some further digging though turned up a very good blog post that went into detail about how Chrome's password manager works. This is possible because Chrome is open-source so anyone can look through the source code.

It turns out that Chrome uses a windows system call to encrypt your passwords. It is a very reliable encryption and it is based on your windows login/password. It is also tied to some system/install identification too so what this means is that if the stored passwords can only be recovered using the account/password combination on your particular machine and install of windows.

Some argue that this isn't good enough protection as it means that if you are logged into your windows account, somebody could fire up Chrome and get access to your passwords. Sometimes it's not that mischievous and a friend is over and wants to use your computer for a second.

The correct response to this is "don't just let people use your computer while you are logged into your personal account". Seriously, create a second, limited account for people other than yourself to use, that's why that feature exists. You don't even have to shut down all your apps and log out, use the 'switch user' feature.

Some will still argue though and say "Hey, I don't want to have to logout or switch users". Well that's fine, but you still have to remember to shut down your browser first and relaunch it so that the master password will be needed the next time a password needs to be entered. That doesn't seem significantly harder than switching windows logins, leaving your own browser context intact. Even if your web passwords are safe, whoever is using your windows login still has access to whatever other personal info and files you have.

Should every program you use prompt you for a password? I don't think so but in the end, it's a matter of preference. The bottom line is that Chrome does a more than adequate job of protecting your passwords and encourages best-practices. So don't let password management stop you from enjoying Google Chrome.