Updated 7/29 with more information on using the Chrome password manager.
Google has apologized after a bug prevented a significant number of Windows users from recovering or saving their passwords. The issue, which began on July 24 and lasted for nearly 18 hours before being resolved on July 25, was caused by “a change in product behavior without proper feature protection,” an excuse that may sound familiar to anyone caught up in the CrowdStrike disruption this month.
The disappearing passwords issue has impacted Chrome web browser users worldwide, preventing them from retrieving previously saved passwords using Chrome’s password manager. Newly saved passwords have also become invisible to affected users. Google, which has now fixed the issue, said that the problem is limited to Chrome browser version M127 on the Windows platform.
How many Google users were affected by the Chrome Password Vanishing Act?
It’s hard to pinpoint exactly how many users were affected by the disappearance of Google’s password manager. However, assuming there are over 3 billion users of the Chrome web browser, the vast majority of whom are Windows users, it’s possible to estimate the number. Google said that 25% of the user base saw the configuration change rolled out, which by my calculations is around 750 million. Of those, around 2%, according to Google’s estimates, were affected by the password manager issue. That means around 15 million users saw their passwords disappear into thin air.
Chrome Password Manager Issue Now Fully Resolved
Google said that a temporary workaround was provided at the time, which involved the particularly unfriendly process of launching the Chrome browser with a command-line flag of “—enable-features=SkipUndecryptablePasswords.” Fortunately, the full fix that has now been rolled out simply requires users to restart their Chrome browser to take effect. Thanking users for their patience, Google said: “We apologize for the inconvenience caused by this service interruption/outage.” Any Chrome users who have experienced an impact beyond what has been explained should, Google said, contact Google Workspace support.
How to Use Google’s Chrome Password Manager
You can access Google Chrome’s password manager from the browser’s three-dot menu by selecting Passwords & Autofill, then Google Password Manager. You can also install the password manager app for Chrome from the password manager settings and access it directly from the Google apps menu. If Chrome prompts you to autofill a password, select Manage passwords to access it directly.
If you already use a standalone password manager and want to switch to Google Chrome’s offering, while I don’t recommend it because having a separate service provides an extra layer of security, it’s pretty easy to do. First, download your passwords from the other app as a .CSV file. Make sure the file has formatted your passwords correctly by opening the file and checking that the first row has three column names like this: url, username, and password. Assuming this is the case, go to passwords.google.com using your Chrome browser, then select Settings|Import and choose your password file. Remember to delete the .CSV file from your device (and empty the trash afterward) to prevent anyone with access to your device from accessing it.
While Google Password Manager for Chrome is certainly easy to use, that doesn’t automatically make it the best choice for securing your passwords. It’s better than no password manager at all, simply because using a single password manager greatly reduces the risk of sharing the same password across multiple accounts and services or relying on easy-to-remember and easy-to-crack passwords instead of complex, random ones. A dedicated password manager will come with plenty of additional security features, including a two-factor authentication code option, various ways to automatically generate strong passwords, and additional security measures. I use 1Password, which as I’ve already pointed out uses end-to-end encryption for data in transit, 256-bit AES data encryption, cryptographically secure pseudo-random number generators for encryption keys, initialization vectors and nonces, strong key derivation to make it even harder to brute-force a master password, and a secret key. This 128-bit secret key is used in conjunction with your master password in order to decrypt anything. It is created using your own device and is not known to 1Password. Your master password protects your password vault on your device, so an attacker with physical access would need to know it to access your passwords. However, if an attacker tried to break into 1password servers, they would not be able to crack your passwords unless they had the secret key that is stored on your physical device.
Google Chrome’s password manager can also use on-device encryption if you set it up to do so. Full instructions are available here . Users are advised that “once on-device encryption is set up, it cannot be removed.” However, once on-device encryption is set up, you can use your Google password or the screen lock on compatible phones or tablets to unlock your password or passkey.
Passwords aren’t the only Google security measure that’s recently disappeared
Passwords aren’t the only thing Google users have seen disappear recently, according to investigative cybersecurity journalist Brian Krebs: Email verification when creating a new Google Workspace account has also disappeared for some users. The authentication issue, now fixed by Google, allowed bad actors to “bypass the email verification required to create a Google Workspace account,” Krebs said, allowing them to “impersonate a domain registrant to third-party services.” That impersonation meant that person could then log into third-party services, including a Dropbox account, according to the person who initially contacted Krebs.
The issue appears to be related to Google Workspace’s free trials, which provide access to services like Google Docs, for example. Gmail, on the other hand, is only accessible to existing users who can validate their control over the associated domain name. Or at least, that’s what should have happened. Instead, it appears that an attacker could effectively bypass the verification process entirely. Anu Yamunan, director of abuse and security protections at Google Workspace, told Krebs that a few thousand unverified accounts per domain had been created before the patch was applied. A patch, it should be noted, that was applied within 72 hours of the vulnerability being reported. It appears that none of the domains were previously associated with Workspace accounts or services. “The tactic here was to create a specially crafted request by a malicious actor to bypass email verification during the sign-up process,” Yamunan said.
I have contacted Google for additional comment.