That you can do this is concerning.
Yes.
And honestly, that should concern you.
Become a Patron of Ask Leo! and go ad-free!
Many web browsers including Google Chrome can remember passwords for you. You can see what's been remembered in Chrome by searching for "password" in Settings, and clicking on "Saved Passwords". For each account listed click on the "eye" icon to view the actual password. While security has improved and features added, I still prefer a separate dedicated password manager for saving passwords.
Browser-saved passwords
To be clear, what we're discussing here is a feature of Google Chrome that saves passwords for you without the use of an additional password vault1.
Visit a website that requires login, log in normally, and the browser will offer to save the password for you.
Click on Save, and Chrome will automatically enter the username and password for you the next time this site asks you to log in.
But what if you need to see the password?
Viewing saved passwords in Google Chrome
Click on the vertical ellipsis (three dots) in the upper right of the Chrome window, and then click on Settings.
On the resulting Settings page, search for "password", and in the results list, below Autofill, click on Passwords.
On the resulting page, you'll see a section labelled "Saved Passwords".
Here, each stored password is represented as dots for security. Click on the eye icon, and you'll be prompted to re-enter your Windows password.
Enter that, and your password will be displayed.
While I've obscured a portion of my password, your entire password will be completely visible.
Security ramifications
I've never been a huge fan of browser-saved passwords, and while the majority of my objections2 have fallen by the wayside over time, one substantial one remains.
All we needed was your Windows password to view any password you've allowed your browser to save.
The implication is that the level of security required to display your password collection is the same as that required for logging into Windows. In practice, that's not true. Your password collection warrants a long, strong password, with two-factor authentication.
People generally don't do that for their Windows login. Even Microsoft accounts, when used, are often held to a lower security standard than should be necessary to view a collection of passwords.
I prefer a separate password vault with its own, tighter security.
That being said, if you've allowed Google Chrome to save your passwords for you -- which is admittedly very convenient -- now you can view what's been saved when you need to type it in manually elsewhere.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Footnotes & References
2: Poor encryption implementation, and the inability to share passwords across machines.
I, too, prefer to use LastPass. Just to get into my vault requires two-factor authentication (2FA). I also have 2FA set up for my Microsoft and Google accounts as well as all other accounts that allow it. Having read about browser vulnerabilities in the past, I don’t store passwords in any browsers. I also max out the characters when using LastPass to generate passwords. Figure the bad actors will have to earn their ill-gotten gains to get my information.
You can also view your saved passwords in LastPass and LastPass gives you the option of requiring your LastPass password each time you want to view them. You should allow this option. Another advantage of LastPass is that you can use the LastPass website to access your passwords on someone else’s computer.
Isn’t it worse than just having the password hidden behind a potentially weak password? It seems to me that being signed into Chrome with my Google account allows my saved passwords in Chrome on my Android based tablet to be shared with Chrome on my laptop. That would mean that Google is not just storing my passwords in the clear in Chrome on the device, but sending passwords in the clear over the internet to and from my Google account.
That’s why I’m in the process of moving my passwords to LastPass.
Actually it doesn’t imply that they’re being transmitted in the clear. They could be (and probably are) stored and transmitted encrypted, using a key somehow associated with your account. But I still prefer a password vault. :-)
I have experienced conflicts between LastPass and Chrome saved passwords. LastPass would populate the UID and password, but depending on the site it would be the old password saved in Chrome. I went to Chrome password settings and turned it off. That worked for some sites, but my banking, credit-card and financial sites would still confuse LastPass.
I reached out to LastPass support and they told me to delete all my saved passwords in the Chrome browser…Problem solved…sorta…LastPass did behaved much better. It was a strange phenomenon to say the least.
There is another aspect to LP that gets confusing when you have multiple accounts with one company. I’m retired from at&t and have several sits I log into. Within the password box Is the LP box, it will have a number indicating how many passwords are associated with that account name. When you click that box you get the drop-down with all the UID/passwords that associate to that company. I cannot determine how to prevent this action.
Browser cache can effect LP and I adjust settings accordingly and also manually delete often. Extensions can cause problems also. You must be aware there will be certain sites that LP will have issues with and need a work-around.
All said and done, LP is amazing and I couldn’t live without out…Leo, maybe you could do a LastPass tutorial of sorts…
“I cannot determine how to prevent this action.” — Why would you want to? I too have this, but I use it extensively logging in to different accounts on the same service. (You can “break” by editing the URL with the saved passwords for the ones you don’t want to see, but then you won’t be able to use them when you arrive on that site.)
There are absolutely site and browser combinations that fool lastpass. Some sites seem to intentionally try to break password vaults, which in my opinion is a huge mistake. In LastPass’s case that dropdown often also lets you easily copy/paste your password, another feature I use a lot.
I use that a lot too. Just remember to clear those passwords from your Clipboard history.
I have one site with 9 different combinations for logging in. It isn’t a problem at all — just change the name. In my case, since I’m accessing Ring Central I just name them Ring Central followed by the extension number. Then I can quickly choose the one I want. It doesn’t really slow me down at all.
Chrome has a bad habit of forgetting the saved passwords. I found the file where all saved sites and encoded passwords are still listed, but Chrome does not use it. Probably, it forgot how to decipher the encoded stuff.
The builtin Firefox password vault can be protected with a master password.
If you have a local account for your PC (not an MS account), then Chrome doesn’t ask for a password to view its stored passwords. The same is true for FireFox. That makes it even less secure. BTW, I use LastPass in both browsers.
Thanks for this. I use CCleaner and always set it to delete saved passwords – I use this frequently for some obsessive reason. I have got in to the habit of refusing to rely on Chrome to autofill anything. There is a risk of relying on Chrome and then loading up CCleaner and not looking at the array of settings. Sadly I use a single day to day password for trivia and individualised pw for banking and important sites and I write them in a book which I keep in a different room.
why would you use google chrome?
until I have the answer to that, I can’t take you seriously as a reference on security.
Because it’s a good browser? Has tons of features I use? Is the most popular browser on the planet? Because the whole “Google is evil” thing is overblown? (Not saying they’re Mother Theresa great, but I certainly don’t believe I’m putting myself at risk by using Chrome.) I’m guessing I’ll have failed your test.
I also use a password vault, and I have been using it since about 2010, I think, but it isn’t LastPass. The name of this app and/or the company behind it is irrelevant to this discussion, and therefore, not wishing to provide free advertising to a third party through Leo’s website (an activity that could result in my comment getting “moderated” – into the shredder), I shall keep that information to myself.
I have over 600 sets of account credentials stored in this password vault, and my (one-time-only paid and permanent) subscription level ensures that: (1) I can use the vault on an unlimited number of devices for no extra charge; (2) I can backup all my password data to the cloud, (not Google Drive or the like – it’s the vault developer’s own cloud server); and (3) sync the passwords on all my devices easily, and with no hassles of any kind.
Unfortunately, along with Leo, I have also discovered that the login pages of certain websites seem to have been designed with the intention of breaking or defeating my password vault app, (along with, I suppose, all others). (I once read a rumour somewhere that certain website operators were falsely reporting password vault apps to popular malware reporting sites as keyboard-logging malware. How much truth there was to this rumour, I have no idea).
The first of my two password vault problems seems to have started about (IIRC) 4 or 5 years ago, when Microsoft split the login process (logging into outlook.com or Microsoft Account) into two separate pages: one for the username, followed by a second for the password. Then, not long after that, Google started doing the same thing (e.g., for Gmail and/or the Chrome browser), and my password vault was rendered unable to log me into either of these two sites automatically. (Also, for a while, the Chrome browser was unable to do it either, forcing me to login manually to Google and Microsoft).
I worked around this for quite some time, logging myself in manually, until the developers finally found a way to cope with this, and now, my password vault works perfectly with Microsoft and Google, but there are still certain other websites that I use frequently, with which my password vault cannot work properly. In these cases, I allow Google Chrome to save the password(/s) for me, and I set my password vault to ignore those sites. (In most cases, Google Chrome will remember and perform the relevant login successfully).
My password vault is also configured to ignore my banking site, (which uses 2FA in the form of a PHYSICAL TOKEN which MUST remain in my possession at all times, and is in no way linked – either physically or virtually – with any of my other devices).
Also, a few of the passwords stored in my vault include some highly unusual symbolic characters, which it would be extremely rare to find in use by any English language speaker, or even any European language speaker, and occasionally, the password vault will fail to enter such a password, thus obliging me to enter it manually. My password vault tech support has put the problem down to the use of these rare characters. When this occurs, (and until the developers find a way to cope with this), I will allow Google Chrome to remember these passwords as well.
Apart from those two small-to-medium-sized problems, I have been using this vault for at least 10 years, and I’m pretty sure that I shall be continuing to use it for many years to come. I would heartily recommend the use of a password vault to anyone who needs to store more than, say, 20 username/password combinations. I think if you have 20 or fewer, a pen and paper is as safe as anything else.
That’s my 2¢ worth, anyway!
NEVER ALLOW AUTOFILL ANYWHERE ANYTIME-
NEVER STORE PASSWORDS ANYWHERE ANYTIME-
KEEPING TRACK YOURSELF MAY BE LESS CONVENIENT, BUT CERTAINLY MORE SECURE-
IF YOU DON’T DIRECTLY CONTROL/ACCESS YOUR OWN PASSWORDS, YOU GIVE UP THE RESPONSIBILITY TO SOMEONE/SOMETHING ELSE AND DECREASE SECURITY-
PASSWORDS, LIKE THE THE SECURITY OF YOUR MACHINE, ARE EITHER UNDER YOUR PHYSICAL CONTROL, OR NOT…
IMHO
If you’re presenting a list of Nevers: Never type a comment in all caps. :-)
Indeed. Doing so can lead to this: WHY IS EVERYONE ON THE INTERNET SO GRUMPY?
Needless to say I disagree with your position. You can use a tool (I use lastpass but there are others) to safely and securely store passwords. This enables you to use more complex and secure passwords than if you had to try and track it all by hand.
Firefox, a widely used browser, does not require any other password to display saved passwords. Simply clicking on the “eye” changes the dots to the password making the dots pointless. I feel this is something Mozilla should urgently change.
Firefox gives the option to password-protect its saved passwords under “Browser Privacy”
Passwords and LastPass have always confused me. I think it is because of those dam dots instead of seening what is chosen for you. Sure, you’ve changed your password, but then your password is lost and you can’t get into your site because for some unknown reason Lastpass didn’t change the vault. Since it is just you and the site when you are changing your password, I would rather be able to copy what lastpass generated and paste into the vault myself. In other words, lastpass doesn’t work the way I want it to. I have no trouble doing things the wrong way with no coaching. I still haven’t learned how to do it the right way (the lastpass way). Maybe it’s because I use the “free” version and that isn’t supposed to work right all of the time.
You can absolutely have lastpass’s password generator generate a password you can see, and then copy/paste that into a password field. I do it all the time.
Very informative article. One question: Do browsers save your passwords on your computer or on their servers?
If you have sync turned on Google saves Chrome passwords on their servers.
Edge stores the password vault on their servers if you are logged in to Windows with a Microsoft account.
Firefox stores them on the cloud id you are signed in to Firefox.
Note that these are in addition to being stored locally on your machine(s).