Memorizing ultra-secure passwords is something very complicated that practically no one can do. This is why password managers have gained so much popularity. The main web browsers, such as Google Chrome, Edge or Firefox, have their own integrated password managers that make it very easy to save passwords and use them when we enter a website. However, this convenience comes at a price. And that price is our security.
When we register on a website, log in, or generate a secure password from Google Chrome, the credentials are automatically saved in the browser. And, if we have a Google account, they sync with the cloud to have them on all our devices. So far, everything is correct. However, just as we have them, anyone else who has access to our computer could access all of them.
Although it is possible to configure a PIN (or use Windows Hello) every time we want a password, this security measure is easily evaded by any hacker. That, added to the impossibility of configuring a double authentication system to access passwords, or military encryption of them, makes using the browser to save passwords not a good idea. Additionally, Chrome saves a copy of your passwords on your computer, in the “C:/Users/” directory.[usuario]/AppData/Local/GoogleChrome/User Data/Default”, within the “Login Data” file.
Therefore, if you do not want your passwords to be in danger and fall into the wrong hands, you should take additional security measures to protect this data.
Protect Windows correctly. The first thing we must do is protect access to our operating system correctly. It is necessary to use a username and password to be able to enter the system or, failing that, activate Windows Hello as a login system. This way we make sure that no one can open our computer when we are not there and see the passwords.
Use disk encryption. As a complementary configuration to the previous one, we must also configure an encryption system for our hard drive, with BitLocker, so that if someone removes the hard drive or SSD from our PC, and places it in another, they cannot access the data they contain. there are saved in it.
Encrypt passwords. There are several ways to encrypt the passwords that we save in Google Chrome. The first of them uses our Google key (along with its double authentication) to encrypt, above all, the backup copy that is uploaded to the cloud, so that no one can see them during the backup. The second of them is to opt for device encryption, which turns our mobile phone, or PC, into a security key that will encrypt the passwords and prevent anyone from accessing them.
Never use the export option. This is the worst thing you can do. When we export passwords from Google Chrome, the browser extracts them in a completely flat format, so we can open them with any program, such as Excel. We can see all the websites, users, emails and, of course, these passwords. If this file falls into the wrong hands, it is the worst that can happen.
Use a third-party password manager
And, if Google Chrome is so bad at saving passwords, what’s the alternative? Very easy. What we have to do is look for a password manager that allows us to save them with complete security. There are many types:
- 100% local and safe. These managers save the passwords in an encrypted database within the PC and prevent anyone from accessing them. For example, KeePass.
- On the cloud. These alternatives are more convenient, since they upload passwords to the cloud and allow us to access them from other devices. For example, we have LastPass within this category, or BitWarden.
- Self-hosted. It allows us to set up our own cloud, where only we have the database. We have the best of the local (control), and the best of the cloud (synchronization). BitWarden is the best option, or its free implementation VaultWarden.
Of course, we cannot forget about good practices when using passwords. When registering on a website we must ensure that the password we choose is a secure, random password that uses uppercase and lowercase letters, numbers and symbols. We should never reuse passwords, to avoid that if the password for a website is stolen, they can access all the other websites where we are registered, and, in addition, change the passwords periodically (something that is rarely done) so that, if any have been stolen , when they try to use it it has already expired.
