Introduction
Google has a password management solution, and that’s generally been about the best you can say for it – but changes are in progress.
Google Password Manager exists as a web vault that can be synced to your Android phone and Chrome browsers, providing basic autofill and autosave functionality web passwords.
Note that since 2021, the open source Chromium browser can no longer sync passwords with your Google account and requires no authentication to expose them to anyone with access to the browser.
Following a a June 2022 update, Google has begun rolling out on-device encryption to some users. Unfortunately, the opt-in feature hadn’t yet reached any of my test accounts by the time of this review, so I’ll provide an overview of forthcoming features alongside the current feature set available to me.
Pricing
Google Password Manager is included in all Google and Android accounts.
You should actively disable password saving when switching to another password management solution. Google makes it easy to export and then delete all of your passwords via passwords.google.com.
Features
- Google using encryption since 2020
- Google doesn’t specialise in password security
- More features coming in the future
On-device encryption means that strong encryption (usually 265-bit AES) is used to make passwords saved on your computer or phone indecipherable without the correct master password.
Although it was once notorious for storing user passwords in plain text, Google Password Manager has actually been encrypting Chrome passwords since 2020, using an internal master key to ensure they’re secure when at rest on your devices. However, this doesn’t stop someone with physical access from just opening your browser to take a look at them.
The main change for users who opt into on-device encryption is that they’ll have to enter their Google password (or respond to a passwordless login challenge on their associated device) whenever they want to access their passwords.
Currently, I have to authenticate myself whenever I want to look at a password entry in my online vault, but not if I want to view them in my browser’s Saved Passwords entry.
It’s obviously very welcome that Google is trying to develop its password manager into something more functional. Reports from Chrome beta users indicate that we might get to see features such as notes and password sharing in the future.
However, because Google doesn’t specialise in password security, it doesn’t do a very thorough job. The Chrome Security FAQ makes it clear that it regards issues that require physical access or a compromised PC to exploit as “physically-local attacks” beyond its remit. As a result, it’s shown little interest in fixing continuing long-standing issues with Chrome (and Chromium) browser passwords being held in memory in clear text.
Admittedly, this requires very specific access to a system to exploit, but password handling in memory is a challenge that more serious password managers have tackled with varying degrees of success and explicitly documented.
Google’s approach isn’t a good look when compared to the in-memory password protection and purging measures of rivals such as KeePass and Bitwarden. It isn’t currently clear how this vulnerability interacts with the new on-device encryption system, or whether it will continue to be regarded as low-priority.
Right now, between different Android versions, region and device locked roll-outs, and the withdrawal of the sync API from Chromium, it’s hard for any individual user to tell if and when they’ll get access to new password security features.
If you are a writer then you can write for us