Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
By default, Google manages your encryption key, but it also allows you to set up encryption on the device, which works like a zero-knowledge architecture. Your passwords are encrypted before they are stored on your device and the keys you manage. Regardless of how encryption works, Google uses AES, which is still the gold standard for password manager security.
Previously decrypting Chrome passwords was trivial, requiring little more than a Python script and knowledge of where files were stored. But even there, Google has pushed the security bar. App-bound encryption has invalidated those methods, and cracking passwords is more involved than ever. Also, Google has integrated with Windows Hello. If you choose, Windows Hello can protect your passwords every time you log in by requesting your PIN or biometric authentication.
Other browsers are not as secure. Firefox, for example, That makes it clearAlthough passwords stored in Firefox are encrypted, “someone with access to your computer user profile can still see or use them.” Brave works similarly, although I suspect most people using Brave are using a third-party password manager (and probably A VPN) already.
Regardless, saving your passwords in a less secure browser like Firefox is much better than not using a password manager at all. And the browsers at the forefront of market share, Chrome and Safari, have greatly improved their security practices over the past few years. The problem isn’t encryption – it’s putting all your eggs in one basket.
Let’s talk OpSec
OpSec, or operational security, is a term commonly used when talking about sensitive data of government or private organizations, but you can look at your own security through an OpSec lens. If you were an attacker and wanted to swipe someone’s password, how would you do it? I know where to look first.
Even with better security measures, the goal of a browser-based password manager is to get people using password managers. This has to be balanced against how easy the password manager is to use. In A blog post Announcing changes to Google’s authentication system at Google I/O this year, the company mentioned reducing “friction” seven times, while “encryption” was not mentioned at all. That’s not necessarily a bad thing, but it’s a testament to how these tools are designed.
You don’t have to pick words from a blog post to see this focus. Google gives you the option to turn on biometric authentication with Windows Hello or Google Password Manager. Every time you want to fill in a password, you need to authenticate. This is undoubtedly more secure than not authenticating every time, but the setting is off by default This causes friction.
