Updated 07/29: Additional Information on Chrome Password Manager Issue

Google has issued an apology after a glitch caused a substantial number of Windows users to lose access to their saved passwords. The problem, which began on July 24 and persisted for nearly 18 hours before being resolved on July 25, was attributed to “a change in product behavior without proper feature guard.” This explanation may sound familiar to those who experienced the recent CrowdStrike disruption.

The password issue affected Chrome users globally, preventing them from accessing or saving passwords through the Chrome password manager. Both previously saved and newly added passwords became invisible to those affected. Google has since fixed the problem, clarifying that it was confined to the M127 version of Chrome Browser on Windows.

How Many Google Users Were Affected by the Chrome Password Glitch?

Pinning down the exact number of users impacted by the Chrome password manager issue is challenging. Given that there are over 3 billion Chrome users worldwide, with Windows users making up the majority, we can estimate the scale of the problem. Google indicated that 25% of its user base experienced the configuration change, which translates to approximately 750 million users. According to Google, around 2% of these users encountered the password manager issue, meaning roughly 15 million users saw their passwords disappear.

Chrome Password Manager Disruption Now Fully Resolved

Google has confirmed that the interim workaround, which involved a complex command line flag (“—enable-features=SkipUndecryptablePasswords”), is no longer necessary. The complete fix now only requires users to restart their Chrome browser. Google has expressed gratitude for users’ patience and apologized for the disruption caused. For any additional issues beyond what has been detailed, users are advised to contact Google Workspace Support.

How to Use Google’s Chrome Password Manager

To access Google’s Chrome Password Manager, follow these steps:

From the Browser Menu: Click on the three-dot menu in the top-right corner of Chrome. Navigate to Passwords under Autofill, then select Google Password Manager.

Using the Chrome App: Install the Chrome Password Manager app from the password manager settings for direct access via the Google apps menu.

Via Autofill Prompt: When Chrome prompts you to autofill a password, select Manage Passwords to be taken directly to the password manager.

Switching from a Standalone Password Manager to Google Chrome’s Password Manager

If you’re considering switching from a standalone password manager to Google Chrome’s built-in option, here’s a straightforward process to follow. Note that while Chrome’s Password Manager is convenient, it might not offer the same level of security as dedicated password managers. A separate service typically adds an extra layer of protection.

Export Your Passwords: Begin by exporting your passwords from your current password manager as a .CSV file. Ensure that the file is correctly formatted with the following column headers: url, username, and password.

Import to Google Password Manager: Open Chrome and go to passwords.google.com. Navigate to Settings > Import, and select your .CSV file for upload.

Delete the .CSV File: After importing, delete the .CSV file from your device and empty the trash to ensure that no one else can access your password information.

Why Consider a Dedicated Password Manager?

While Google’s Chrome Password Manager is user-friendly, it might not be the best choice for comprehensive password security. It’s a good starting point and better than not using a password manager at all. However, dedicated password managers offer advanced features such as two-factor authentication, strong password generation, and additional security measures.

For example, I use 1Password, which provides robust security features including end-to-end encryption, 256-bit AES data encryption, and cryptographically secure pseudorandom number generators. 1Password also employs a 128-bit secret key in conjunction with your master password to decrypt your vault, with this key being stored only on your device, ensuring maximum protection against brute-force attacks.

On-Device Encryption with Google Chrome Password Manager

Google Chrome’s password manager can utilize on-device encryption if configured properly. Full instructions are available here. Note that once on-device encryption is set up, it cannot be removed. You can use your Google password or a compatible device’s screen lock to access your passwords or passkeys.

Recent Google Security Issues

Aside from the password manager glitch, other security issues have also arisen. Investigative cybersecurity reporter Brian Krebs reported that some Google users experienced problems with email verification when creating new Google Workspace accounts. This issue, now resolved by Google, allowed bad actors to bypass email verification and impersonate domain holders, accessing third-party services like Dropbox.

The problem was linked to Google Workspace’s free trials, which grant access to services such as Google Docs. Although Gmail is supposed to require domain validation, attackers managed to circumvent this process. Google Workspace’s abuse and safety director, Anu Yamunan, noted that a few thousand non-validated accounts were created before a fix was applied within 72 hours of the vulnerability being reported. No domains were previously associated with Workspace accounts or services. The attackers used a specially-crafted request to bypass email verification.

I’ve reached out to Google for further comments.