How Secure are Your Saved Chrome Browser Passwords?

A common question about the Google Chrome Browser is “why isn’t there a master password?” Google has (unofficially) taken the position that a master password provides a false sense of security and the most viable form of protection for this sensitive data is through overall system security.
So exactly how secure is your saved password data inside of Google Chrome?

Viewing Saved Passwords

Chrome, includes its own password manager which is accessible via Options > Personal Stuff > Manage saved passwords. This is nothing new and if you allow Chrome to store you passwords, you are probably already aware of this feature.
A nice touch of minor security is that you must first click the show button next to each password you want to view.

 

 

While there is no restriction to access this screen (i.e. if you have access to the desktop where Chrome is installed, you can get to the passwords), there is at least user intervention required to view each password with no way to export them in bulk to a plain text file.

Where is the Password Data Stored?

The saved password data is stored in an SQLite database located here:

%UserProfile%\AppData\Local\Google\Chrome\User Data\Default\Login Data

You can open this file (the file name is just “Login Data”) using SQLite Database Browser and view the “logins” table which contains the saved passwords. You will notice the “password_value” field is unreadable because the value is encrypted.

 

How Secure is the Encrypted Data?

To perform the encryption (on Windows), Chrome uses a Windows provided API function which makes the encrypted data only decipherable by the Windows user account used to encrypt the password. So essentially, your master password is your Windows account password. As a result, once you are logged into Windows using your account this data is decipherable by Chrome.
However, because your Windows account password is a constant, access to the “master password” is not exclusive to Chrome as external utilities can get to this data – and decrypt it – as well. Using the freely available utility ChromePass by NirSoft, you can see all your saved password data and easily export it to a plain text file.

 

So it makes sense that if the ChromePass utility can access this data, malware running as the respective user could access it as well. When the ChromePass.exe is uploaded to VirusTotal, just over half of the anti-virus engines flag it as dangerous. While in this case the utility is safe, it is a bit reassuring to see that this behavior is at the very least flagged by many of AV packages (although Microsoft Security Essentials is not one of the AV engines which reported it as dangerous).

Can the Protection Be Circumvented?

Suppose your computer is stolen and the thief resets your Windows password in order to natively login to your installation. If they were to subsequently try to view the passwords in Chrome or use the ChromePass utility, the password data would not be available. The reason is simple as the “master password” (which was your Windows account password prior to them forcefully resetting it outside of Windows) does not match so the decryption fails. Additionally, if someone were to simply copy the Chrome password SQLite database file and try to access it on another computer, ChromePass would display empty passwords for the same reason explained above.