Chrome’s Stored Passwords

August 7, 2013 | BY

An oddity in Google’s Chrome allows you to reveal stored passwords saved by the popular browser.

Software developer Elliot Kember came across this while importing his Safari browser settings and thought he’d share. His blog points out how our stored passwords are readily available in Chrome.


We’ve all seen the option in our favorite browser that offers to save our passwords—fair enough. Chrome takes it a step further and gives you the ability to see those stored passwords.

In Chrome’s Password manager, chrome://settings/passwords, you are presented with any saved passwords, from there you can select the account and click the “Show” button to reveal the password.


This isn’t a huge security hole but really a privacy issue if you use Chrome. The feature hasn’t be targeted by malware authors but could leave you exposed if someone with prying eyes has access to your PC.

Google seems confident in the feature and that it is not a security issue.

“The only strong permission boundary for your password storage is the OS user account,” Justin Schuh, a Security Tech Lead for Chrome, said. “So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account.”

He has a good point, sometimes all bets are off when a bad guy gets access to your PC—although you can make the job difficult by not having passwords easily accessible. If you want to clear out any stored passwords in Chrome you can remove in its Advanced settings under “Passwords and Forms.” Access by going to Chrome’s menu  -> Settings.


Firefox also has this feature and is accessible through the Firefox menu then Options -> Options -> Security -> Saved Passwords. Firefox does prompt when accessing “Save Passwords” but reveals them just the same. So this is not strictly a Chrome thing.


If you do like to use password store features don’t use on a “community” PC or leave your PC unlocked when away. We’ve covered password security in past blogs, our Josh Cannell covered them recently and also Neil Rubenking, a journalist for PC Mag, covered this Chrome feature and offered some tips on using third party password managers.

It’s interesting how long this has gone under the radar by the media and security industry, though it’s not necessarily a security exploit, it does bring up the password issue again. Please stay secure and be aware of where and when you’re storing your passwords.

  • Roy Harvey

    This is no different from Firefox.

  • Collier Smith

    Except in Firefox you have an option to set a Master Password, and you can reveal the saved passwords only if you enter this Master Password. I have not seen a similar feature in Chrome.

  • bruceatcohocomputerdotcom

    If you do use the master password, Firefox’s Password Manager provides good security. The local password database is encrypted. Better still, passwords, bookmarks and other browsing data can be synced automatically and securely across multiple computers and Android devices.

  • thedonsway

    For those of us with a bad memory and forget where we write things down, this is a very handy feature. and now I know how to find it, thank you.

  • Jay Imerman

    What a sensationalist post! I thought you found some real vulnerability! This was a waste of time. Like Roy Harvey says, no different from Firefox, and you have to show the password in order to have it visible. Duh, just don’t do it with anyone else looking on, or get a privacy screen cover on your laptop or other device. Can’t believe I clicked the link to read this article.

  • Jason Von Ruden

    I a disappointed in a reputable security company reporting failing to report that all browsers have this default feature to allow viewing passwords cached just as easily.

    All Major browsers Internet Explorer, Firefox, Opera, Chrome, Safari, mobile devices, and etc.

    ** Especially since this is not really a security vulnerability, once someone already has full access to a computer it is game over man… **

  • Nunya Biznis

    a long time ago I kind of figured this would happen. so I decided right then
    to NEVER store my passwords for ANY website. when you log in to a site
    it offers that little box to check “remember me” ??
    I don’t do those either….
    it’s a wise habit to get into maybe reconsider your position on storing them
    in ANY browser.