Chrome OS may add extra security to view passwords saved in a Google account

If you store your passwords natively with Google on a Chromebook, you have easy access to them once you’re signed in to your device. Just visit Settings, Passwords in Chrome OS and you can see them all in a list or search for specific ones. There’s no additional authentication required. That could change though: Chrome Story found an active bug report that may add an additional sign-in step for authentication.

That’s actually how Google’s password store works in the Chrome browser on all other platforms, so this would add consistency, per one of the bug request comments:

On Windows, MacOS, Android and iOS we ask the user to enter their OS credentials before revealing the password. On ChromeOS there is no API to do that (AFAIK). This did not make it to the password manager team’s priority list because of the effort to introduce such a reauthentication mechanism.

I’m not overly concerned about my Google passwords currently being “unsafe” on a Chromebook because I always lock it when I’m not using it. And if someone had my Google account credentials already, they would have access to my passwords stored with Google simply by hitting https://passwords.google.com and signing in. Put another way: My Chromebook isn’t the weak spot here. Plus I have two-factor authentication (2FA) enabled for my Google account anyway.

There still seems to be some internal debate on how to implement this change, as well as if it should apply specifically to enterprise users with managed Chrome OS devices via policy or it should become available to consumer users of Chrome OS as well.

The feature request seems to be to have a policy that disables the reveal button in chrome://settings/passwords. For this, the enterprise team would be the most skilled people because they know how to introduce policies and make them affect things in chrome://settings.

I’d vote for both since an extra authentication wouldn’t hurt anyone.

If the current Google account passwords situation scares you, there’s always the option of a third-party password manager such as LastPass or 1Password. For now, I’m sticking with Google and keeping my 2FA setting on for the account.

6 thoughts on “Chrome OS may add extra security to view passwords saved in a Google account

  • January 18, 2019 at 10:44 am
    Permalink

    I take it one step further and use Google Titan for 2fa and have advanced protection enabled, so that my Google account cannot be accessed from a new device without a physical key. Like you, I also lock my Pixelbook when I step away

    Reply
    • January 18, 2019 at 10:47 am
      Permalink

      Yup, I have the same setup: Titan security key and advanced protection enabled. Definitely the way to go and well worth the $50 for the Titan package IMO. 🙂

      Reply
      • January 19, 2019 at 9:53 am
        Permalink

        Thanks Kevin, that means a lot to me that you are doing the same.

        Following you and Stacy has really improved my knowledge on Google and IOT. Appreciate all the work both of you do. J

        Reply
        • January 19, 2019 at 9:55 am
          Permalink

          Thanks for the kind words, John!

          Reply
  • January 19, 2019 at 1:57 pm
    Permalink

    I’d like to see a second different access key in addition to being logged into a user’s Google account to view or modify information stored in the account. It need not be complex so long as it doesn’t use public information about the user or repeat information from the account name.

    eg Walmart uses a simple 4-digit code, one created by the user, to access that user’s pharmacy information.

    Reply
    • January 19, 2019 at 2:33 pm
      Permalink

      You can essentially do that by setting up 2FA on your Google account and the Google Authenticator app. Before I bought a Titan key, that was my setup.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.