Warning: Don't Let Google Manage Your Passwords

[numike]

Content source

https://www.pcmag.com/opinions/warning-dont-let-google-manage-your-passwords

Don't Let Google Manage Your Passwords

Experts tell us that relying on Google Chrome (or any browser) to manage your online passwords is a seriously bad idea. Here's why.

www.pcmag.com

 

[Jonny Quest]

Never have, never will.

 

[upnorth]

Spoiler: Microsoft :P

 

[blackice]

Yeah, wouldn’t have anything to do with all the affiliate links in their best password manager articles.

 

[oldschool]

Clickbait! I clicked anyway.

 

[MrMr]

I doubt anyone on this site uses Google passwords, Google is one of the biggest known viruses you can't avoid haha

 

[Gandalf_The_Grey]

If you want to use an online password manager, I would recommend using the one already built into your browser. They provide the same functionality, and can sidestep these fundamental problems with extensions.

I use Chrome, but the other major browsers like Edge or Firefox are fine too. They can isolate their trusted UI from websites, they don’t break the sandbox security model, they have world-class security teams, and they couldn’t be easier to use.

No doubt there will be many people reading this who don’t like this advice. All I can say is I’ve heard all the arguments, and stand by my conclusions.

By Tavis Ormandy a vulnerability researcher with Google Project Zero:

Password Managers.

lock.cmpxchg8b.com

 

[nickstar1]

I don't let anything manage my passwords I'm safe inside my mind of remembrance. We all know any company can have a data breach, but chips haven't been installed into our brains yet so that's still safe option. Password managers are pointless in my opinion.

 

[MrMr]

I don't let anything manage my passwords I'm safe inside my mind of remembrance. We all know any company can have a data breach, but chips haven't been installed into our brains yet so that's still safe option.

You can use something like KeePass with the autofill plugin. You own that database instead of "in the cloud's or "securely stored". KeePass saves on your device and nowhere else (unless you install plugins for that)

 

[Digmor Crusher]

I don't let anything manage my passwords I'm safe inside my mind of remembrance. We all know any company can have a data breach, but chips haven't been installed into our brains yet so that's still safe option. Password managers are pointless in my opinion.

While that may work well for you, for me, not so much. I could remember 10-15 passwords, but 100 +, not a chance.

 

[MrMr]

I can remember 100 passwords that are the same but not safely randomly generated

 

[oldschool]

By Tavis Ormandy a vulnerability researcher with Google Project Zero:

Password Managers.

lock.cmpxchg8b.com

I place my bet on Tavis' side.

 

[cartaphilus]

Don't Let Google Manage Your Passwords

Experts tell us that relying on Google Chrome (or any browser) to manage your online passwords is a seriously bad idea. Here's why.

www.pcmag.com

I always let facebook manage my passwords.

 

[Azure]

By Tavis Ormandy a vulnerability researcher with Google Project Zero:

Password Managers.

lock.cmpxchg8b.com

Or use a desktop password manager

- No Extension

- No Browser Password Manager

 

[Zero Knowledge]

I would listen to Tavis Ormandy for advice before I take advice from PCmag

 

[Trident]

Neither Travis Ormandy (Google puppet), nor anyone from PC Mag are to be trusted. Saving passwords both in browsers and in a dedicated password manager is always a HUGE security risk for the following reasons:

-A breach will most likely allow attackers to access passwords - that being said, yes, I trust Google to secure their network better than let's say Bitwarden. I mean the revenue streams are not really equal.
-RATs normally exfiltrate passwords - vast majority have been focused on browsers but lately, third-party password managers have been "put under the knife" as well.

In the light of the above, I think it's fair to conclude that the built-in password manager (specially Google one that integrates with Android) is slightly better. It is still unsafe but at least a bit more convenient.

 

[piquiteco]

It has never been safe to leave passwords saved in the browser, for one simple reason, it has no encryption, the database file that your passwords are saved, anyone with even a little knowledge can access them your passwords, imagine in the hand of a hacker what he can do. To be more direct and specific Chrome stores your passwords in a file called "Login Data". For those who don't know, this file is nothing more than a database in SQLite 3.x format. Using the sqlite3 command, you can access the tables stored in this file, including the logins table, which stores your passwords. I will not detail how to do this, because it would be unethical on my part and it would also violate the MT forum rules, this is a security forum and not a hacking forum. I did a test recently to see if google had changed something and to my surprise nothing has changed, I took advantage and added some passwords for this test, and I was surprised how easy it was to access these passwords saved in this file, and I am no expert. I agree that using an extension-based password manager can be vulnerable. In this case, to mitigate any potential flaws of exposing your passwords from being exfiltrated by the attacker, it is recommended to use a desktop-based PM that does not use an extension or any plugin in your browser. The @Azure is correct in his statement in post #14 Do the test and research for yourself you will be shocked to see the results.

 

[Viking]

I haven't used Chrome in years.

 

[Sorrento]

As above: Never have never will