While it’s better than nothing, you shouldn’t use Google to store your passwords.
- Already built into Android and Chrome
- Google is slowly rolling out on-device encryption
- (Arguably) better than nothing
- Already built into Android and Chrome
- Very limited security options
- Inconsistent availability of new password management features
- Google has stated that “physically-local” security isn’t a priority
- SecurityPasswords are encrypted using AES-256, Google stores a key in your account. As of June 2022, Google is offering some users on-device encryption, associated with your Google account password
Google has a password management solution, and that’s generally been about the best you can say for it – but changes are in progress.
Google Password Manager exists as a web vault that can be synced to your Android phone and Chrome browsers, providing basic autofill and autosave functionality web passwords.
Note that since 2021, the open source Chromium browser can no longer sync passwords with your Google account and requires no authentication to expose them to anyone with access to the browser.
Following a a June 2022 update, Google has begun rolling out on-device encryption to some users. Unfortunately, the opt-in feature hadn’t yet reached any of my test accounts by the time of this review, so I’ll provide an overview of forthcoming features alongside the current feature set available to me.
Google Password Manager is included in all Google and Android accounts.
You should actively disable password saving when switching to another password management solution. Google makes it easy to export and then delete all of your passwords via passwords.google.com.
- Google using encryption since 2020
- Google doesn’t specialise in password security
- More features coming in the future
On-device encryption means that strong encryption (usually 265-bit AES) is used to make passwords saved on your computer or phone indecipherable without the correct master password.
Although it was once notorious for storing user passwords in plain text, Google Password Manager has actually been encrypting Chrome passwords since 2020, using an internal master key to ensure they’re secure when at rest on your devices. However, this doesn’t stop someone with physical access from just opening your browser to take a look at them.
The main change for users who opt into on-device encryption is that they’ll have to enter their Google password (or respond to a passwordless login challenge on their associated device) whenever they want to access their passwords.
Currently, I have to authenticate myself whenever I want to look at a password entry in my online vault, but not if I want to view them in my browser’s Saved Passwords entry.
It’s obviously very welcome that Google is trying to develop its password manager into something more functional. Reports from Chrome beta users indicate that we might get to see features such as notes and password sharing in the future.
However, because Google doesn’t specialise in password security, it doesn’t do a very thorough job. The Chrome Security FAQ makes it clear that it regards issues that require physical access or a compromised PC to exploit as “physically-local attacks” beyond its remit. As a result, it’s shown little interest in fixing continuing long-standing issues with Chrome (and Chromium) browser passwords being held in memory in clear text.
Admittedly, this requires very specific access to a system to exploit, but password handling in memory is a challenge that more serious password managers have tackled with varying degrees of success and explicitly documented.
Google’s approach isn’t a good look when compared to the in-memory password protection and purging measures of rivals such as KeePass and Bitwarden. It isn’t currently clear how this vulnerability interacts with the new on-device encryption system, or whether it will continue to be regarded as low-priority.
Right now, between different Android versions, region and device locked roll-outs, and the withdrawal of the sync API from Chromium, it’s hard for any individual user to tell if and when they’ll get access to new password security features.
If you’re looking for convenience
It’s certainly convenient to save and sync passwords across your Google browsers and devices. It’s better that not using any kind of password management at all, but worse than most alternatives.
If you require sophisticated and customisable security
Please use a different password manager. They have better features and security measures.
A lot of people use Google’s built-in service to store their passwords, so any improvements to Google Password Manager are hugely important and I’m delighted to see them. But as someone who cares about security, you should use a dedicated password manager such as Bitwarden, 1Password, NordPass, LastPass or Dashlane.
We test each password manager ourselves on a variety of computer and mobile operating systems. We carry out comparative feature analysis against industry standards and rival products, and test security and convenience settings such as default logout behaviour and offline access.
We used for at least a week.
Tested all of the available features.