Updated 07/29 with more information regarding Chrome password manager usage.
Google has said it is sorry after a bug prevented a significant number of Windows users from finding or saving their passwords. The issue, which Google noted started on July 24 and continued for nearly 18 hours before being fixed on July 25, was due to “a change in product behavior without proper feature guard,” an excuse that may sound familiar to anyone caught up in the CrowdStrike disruption this month.
The vanishing password problem impacted Chrome web browser users from all over the world, leaving them unable to find any passwords already saved using the Chrome password manager. Newly saved passwords were also rendered invisible to the affected users. Google, which has now fixed the issue, said that the problem was limited to the M127 version of Chrome Browser on the Windows platform.
How Many Google Users Were Impacted By The Chrome Password Vanishing Act?
The precise number of users to be hit by the Google password manager vanishing act is hard to pin down. However, working on the basis that there are more than 3 billion Chrome web browser users, with Windows users counting for the vast majority of these, it’s possible to come up with an estimated number. Google said that 25% of the user base saw the configuration change rolled out, which, by my calculations, is around 750 million. Of these, around 2%, according to Google’s estimation, were hit by the password manager issue. That means around 15 million users have seen their passwords vanish into thin air.
Chrome Password Manager Disruption Is Now Fully Fixed
Google said that an interim workaround was provided at the time, which involved the particularly user-unfriendly process of launching the Chrome browser with a command line flag of ” —enable-features=SkipUndecryptablePasswords.” Thankfully, the full fix that has now been rolled out just requires users to restart their Chrome browser to take effect. Thanking users for their patience, Google said that “We apologize for the inconvenience this service disruption/outage may have caused.” Any Chrome users who have experienced an impact beyond what has been explained should, Google said, contact Google Workspace Support.
How To Use Google’s Chrome Password Manager
You can access Google’s Chrome password manager from the browser’s three-dot menu by selecting Passwords and Autofill and then Google Password Manager. Alternatively, you can install the password manager Chrome app from the password manager settings and access it directly from the Google apps menu. If Chrome prompts you to autofill a password, selecting manage passwords will also take you directly there.
If you already use a standalone password manager and want to switch to using the Google Chrome offering, although I wouldn’t recommend it as having a separate service provides an additional layer of security, it’s easy enough to do. Firstly, download your passwords from the other application nation as a .CSV file. Make sure the file has formatted your passwords properly by opening the file and checking that the first line has three column names as follows: url, username, and password. Assuming this checks out, head for passwords.google.com using your Chrome browser, then select Settings|Import and choose your password file. Remember to delete the .CSV file from your device (and empty the trash afterward) to prevent anyone with access to your device from being able to access it.
While the Google Password Manager option for Chrome is certainly easy to use, that doesn’t automatically make it the best choice for keeping your passwords secure. It’s better than no password manager at all, simply because using one makes it far less likely that you will share the same password across multiple accounts and services or resort to using easy to remember and easy to crack passwords rather than complex and random ones. A dedicated password manager will come with many added security features, likely including a two-factor authentication code option, varied ways to auto-generate strong passwords and additional security measures. I use 1Password, which, as I have pointed out before, uses end-to-end encryption for data in transit, 256-bit AES data encryption, cryptographically secure pseudorandom number generators for encryption keys, initialization vectors and nonces, key derivation strengthening to make it even harder to brute force a master password, and a secret key. This 128-bit secret key is used in conjunction with your master password in order to decrypt anything. It’s created using your own device and is not known to 1Password. Your master password protects your password vault on your device, so an attacker with physical access would need to know it to access your passwords. If an attacker tried to brute-force the 1password servers, however, they couldn’t decrypt your passwords unless they had the secret key which is stored on your physical device.
The Google Chrome password manager can also use on-device encryption if you set it up for this. The full instructions can be found here. Users are advised that “once on-device encryption is set up, it can’t be removed.” However, once on-device encryption is set up, you can use your Google password or the screen lock for compatible phones or tablets to unlock your password or passkey.
Passwords Are Not The Only Google Security Measure That Went Missing Recently
According to renowned investigative cybersecurity reporter Brian Krebs, passwords are not the only thing Google users have seen disappear recently: email verification when creating a new Google Workspace account also went missing for some users. The authentication issue, also now fixed by Google, enabled bad actors to “circumvent the email verification required to create a Google Workspace account,” Krebs said, which allowed them to “impersonate a domain holder at third-party services.” This impersonation meant that such a person was then able to log in to third-party services, including a Dropbox account, according to the person who contacted Krebs initially.
The issue appears to have been connected to the free trials that Google Workspace offers, which allow access to services such as Google Docs, for example. Gmail, however, is only accessible to existing users who can validate their control over the associated domain name. Or, at least, that’s what should have happened. Instead, it seems, an attacker could effectively bypass the validation process entirely. Anu Yamunan, the director of abuse and safety protections at Google Workspace, told Krebs that a few thousand such non-domain verified accounts had been created before the fix was applied. A fix, it should be said, that was made within 72 hours of the vulnerability being reported. It is understood that none of the domains were previously associated with Workspace accounts or services. “The tactic here was to create a specifically-constructed request by a bad actor to circumvent email verification during the signup process,” Yamunan said.
I have approached Google for further comments.