How Secure Are Your Saved Chrome Browser Passwords

"Why isn't there a master password for Google Chrome?" is a question that is frequently asked about the browser. Google has (informally) stated that master passwords provide a false sense of security and that the most viable method of protecting this sensitive data is through system security, rather than through passwords or other means.

So, how safe are the passwords you've saved within Google Chrome?

Viewing Saved Passwords 

A password manager is included with Chrome, and it can be accessed through the Options menu, Personal Stuff, and Manage saved passwords. You are probably already familiar with this feature if you allow Chrome to store your passwords, as it is not a new addition to the browser.

An additional layer of security is provided by the requirement that you first click the show button next to each password you wish to view before you can proceed.

It is true that access to this screen is not restricted (that is, if you have access to the desktop where Chrome is installed, you will be able to view the passwords), but viewing each individual password requires at the very least user intervention, and there is no way to export them in bulk to a simple text file.

What is the location of the password information

The information about saved passwords is stored in the SQLite database named as follows:

%UserProfile\%\AppData\Local\Google\Chrome\User Data\Default\Login Data

By opening this file (the file name is simply "Login Data") in SQLite Database Browser, you will be able to see the "logins" table, which contains the passwords that have been saved. The fact that the "password value" field is unreadable as a result of the encrypted value will be obvious to you.

How Secure is the Encrypted Data

In order to encrypt the data (on Windows), Chrome makes use of a Windows-provided API function, which restricts access to the encrypted data to the Windows user account that was used to encrypt the password in the first place. As a result, your master password is essentially the same as the password for your Windows account. Therefore, once you log into Windows with your account, Chrome will be able to decrypt the data.

Given that your Windows account has a consistent password, access to the "master password" is not limited to Chrome; external utilities can also access and decrypt the data contained in the "master password." You can view and export all of your saved password data using the free NirSoft utility ChromePass, which is available from the NirSoft website.

Consequently, if the ChromePass utility has access to this data, malware running as the respective user may also be able to access this information. When ChromePass.exe is uploaded to VirusTotal, it is flagged as potentially dangerous by slightly more than half of the anti-virus engines that scan the file. It is somewhat reassuring to see that this type of behavior is at the very least flagged by a large number of antivirus packages, even though the utility is safe in this particular instance (although Microsoft Security Essentials is not one of the AV engines which reported it as dangerous).

Is it possible to circumvent the security measures

If your computer is stolen, and the thief resets your Windows password in order to gain native access to your installation, consider the following scenario: If they attempted to view the passwords in Chrome or use the ChromePass utility later, they would be unable to do so. Simply put, the decryption process fails because the "master password" (which was previously your Windows account password before they forcibly reset it outside of Windows) does not match the "master password."

ChromePass would display empty passwords if a user copied the Chrome password SQLite database file and attempted to access it on a different computer for the same reason as mentioned above.

Conclusion

Finally, the user is entirely responsible for the security of Chrome's saved passwords:

• For your Windows account, create a password that is extremely difficult to guess. Keep in mind that there are utilities available that can decrypt Windows passwords if you have them encrypted. If someone manages to get their hands on the password to your Windows account, they will also have access to any saved browser passwords.
• Protect yourself from malicious software. Why is it that malware is unable to access your saved passwords if utilities are able to do so with relative ease?
• When storing your passwords, use a password management system such as KeePass to keep them safe. You will, of course, give up the convenience of having the browser automatically fill in your passwords when you do this.
• Use a third-party password manager that integrates with Chrome and makes use of a master password to keep track of all of your passwords.
• Using TrueCrypt, encrypt your entire hard drive. However, if someone is unable to decrypt your drive, they will almost certainly be unable to retrieve any information from it. This is entirely optional and should only be used for the most stringent security measures.

Overall, it's important to keep your system as secure as possible, and your Chrome passwords should be at least moderately secure.