How to secure your passwords in Chrome and Firefox

Chrome and Firefox both store your saved passwords in plain text. So how do you keep them safe?

Michelle Starr Science editor
Michelle Starr is CNET's science editor, and she hopes to get you as enthralled with the wonders of the universe as she is. When she's not daydreaming about flying through space, she's daydreaming about bats.
Michelle Starr
3 min read

Chrome and Firefox both store your saved passwords in plain text. So how do you keep them safe?

(Immeuble du Crédit Lyonnais image by Renaud d'Avout, CC BY-SA 3.0)

A "feature" of Chrome and Firefox has been getting a little attention this week — namely, that your saved passwords are not as secure as you might think. Whenever you enter a password into a website and click "Yes" when asked if you'd like the browser to remember it, the browser does not encrypt the password. Rather, it stores a plain-text version that you can access with just a few clicks.

In Chrome, they're in Settings > Advanced Settings > Passwords, where you can view a list of your saved sites. When you click on one, a little box shows up with the option to "Show" your password. In Firefox, you can get to them through Options > Security > Saved Passwords and clicking on "Show Passwords".

(Screenshot by Michelle Starr/CNET Australia)

This means that if someone has access to your computer, they can find your passwords very easily.

It's important to note here that if your computer gets stolen, Chrome treats your computer password as a "Master password". So if the thief can't access your user profile, they will not be able to access your passwords, either.

So how do you protect yourself? Obviously, the best course of action would not be to save your passwords in your browser at all, but that's not very practical.

Our first tip would be to limit your saved passwords to junk accounts. All accounts that have access to your money, your email accounts and anything else linked to sensitive information should be kept off your browser.

Secondly, use a different password for every single account. Keeping your sensitive account passwords off your browser isn't going to do much good if you use the same password for everything — someone trying to get access to your passwords could figure it out pretty easily.

Thirdly, set up a separate profile for everyone who is using your computer, and either lock it or sign out whenever you step away.

Finally, use a master password. Firefox has this capability built in. Anyone trying to view your browser passwords needs to enter the master to able to do so. Firefox does not have the master password enabled by default; there are instructions on how to set one here.

With Chrome, it's a little trickier. Google does not have a master password feature, nor does it plan to implement one. In order to obtain one, you need to use a third-party password manager.

LastPass lets you set up a password vault that automatically fills out forms and passwords. When you have launched your browser, you have to log in to LastPass, and it will take care of the rest. It encrypts your passwords using 256-bit AES implemented in C++ and JavaScript, and all encryption and decryption takes place locally on your PC, even though your (encrypted) passwords are stored on LastPass' cloud servers.

It also has a "generate password" feature for creating randomised, secure passwords for your account, and allows you to restrict the ability to log in by country and enable two-factor authentication.

If you would prefer that your passwords are stored locally instead of on a third-party server (even though most of them are stored on the website's servers anyway), KeePass is a good alternative. It offers a similar service to LastPass: generating randomised passwords and encrypting them, with one master password to unlock them stored locally on your computer, although you can save your vault to Dropbox or a USB stick if you need it in more than one place. It then pastes these passwords into your browser — which also effectively stymies possible keyloggers.