Google confirms bug that causes passwords to disappear
Updated 07/29 with more information about using Chrome’s password manager.
Google said it was sorry after a bug prevented a significant number of Windows users from finding or saving their passwords. The problem, which Google noted began on July 24 and lasted nearly 18 hours before being fixed on July 25, was due to a “change in product behavior without proper feature protection,” an excuse that may sound familiar to anyone caught in a CrowdStrike Outage this month.
The disappearing password issue has affected Chrome web browser users worldwide, leaving them unable to find already saved passwords using Chrome’s password manager. Newly saved passwords were also made invisible to affected users. Google, which has already fixed the problem, said the problem is limited to the M127 version of the Chrome browser on the Windows platform.
How many Google users were affected by the Chrome Disappearing Password Act?
It is difficult to determine the exact number of users who will be affected by the disappearance of Google’s password manager. However, working on the basis that there are more than 3 billion users of the Chrome web browser, with Windows users accounting for the vast majority of them, it is possible to arrive at an approximate number. Google said 25% of its user base saw the configuration change, which I estimate is about 750 million. Of those, about 2%, according to Google’s estimate, are affected by the password manager issue. That means around 15 million users have seen their passwords disappear into thin air.
Chrome’s password manager break is now fully fixed
Google said a workaround was provided at the time, which involved the particularly user-inconvenient process of starting the Chrome browser with the command-line flag “—enable-features=SkipUndecryptablePasswords.” Fortunately, the full fix now released simply requires users to restart their Chrome browser to take effect. Thanking users for their patience, Google said that “We apologize for the inconvenience this service interruption may have caused.” Any Chrome users who have experienced an impact beyond what’s described should, Google said, contact Google Workspace support.
How to use Google Chrome Password Manager
You can access Google’s Chrome password manager from the browser’s three-dot menu by selecting Passwords & AutoFill and then Google Password Manager. Alternatively, you can install the Chrome password manager app from your password manager settings and access it directly from the Google apps menu. If Chrome prompts you to autofill a password, selecting Manage Passwords will also take you directly there.
If you’re already using a standalone password manager and want to switch to using Google Chrome’s offering, although I wouldn’t recommend it since having a separate service provides an extra layer of security, it’s easy enough to do. First, download your passwords from the other app nation as a .CSV file. Make sure the file has formatted your passwords correctly by opening the file and verifying that the first line has three column names as follows: url, username, and password. Assuming this is checked, go to passwords.google.com using your Chrome browser, then select Settings|Import and select your password file. Be sure to delete the .CSV file from your device (and empty the trash afterwards) to prevent anyone who has access to your device from accessing it.
While the Google Password Manager option for Chrome is certainly easy to use, that doesn’t automatically make it the best choice for protecting your passwords. This is better than no password manager at all, simply because using one makes it much less likely that you’ll share the same password across multiple accounts and services, or resort to using easy-to-remember and easy-to-crack passwords , instead of complex and arbitrary. A dedicated password manager will come with many added security features, possibly including a two-factor authentication code option, a variety of ways to automatically generate strong passwords, and additional security measures. I use 1Password which, as I mentioned before, uses end-to-end encryption for data in transit, 256-bit AES data encryption, cryptographically secure pseudo-random number generators for encryption keys, initialization vectors and nonces, strengthening key derivation to make it even more difficult to brute force a master password and secret key. This 128-bit secret key is used along with your master password to decrypt everything. It was created with your own device and is not known to 1Password. Your master password protects your password store on your device, so an attacker with physical access would need to know it to gain access to your passwords. If an attacker tries to brute force 1password’s servers, however, they cannot decrypt your passwords unless they have the secret key that is stored on your physical device.
Google Chrome’s password manager can also use device encryption if you set it up to do so. Full instructions can be found here. Users are advised that “once device encryption is set up, it cannot be removed.” However, once device encryption is set up, you can use your Google password or screen lock for compatible phones or tablets, to unlock your password or access key.
Passwords aren’t the only Google security measure to disappear recently
According to renowned investigative cybersecurity reporter Brian Krebs, passwords aren’t the only thing Google users have seen disappearing recently: the email confirmation when creating a new Google Workspace account has also disappeared for some users. The authentication issue, also now fixed by Google, allowed bad actors to “bypass the email verification required to create a Google Workspace account,” Krebs said, allowing them to “impersonate the owner of a domain on third-party services.” . That representation meant such a person could then log into third-party services, including a Dropbox account, according to the person who initially contacted Krebs.
The problem seems to be related to the free trials that Google Workspace offers, which allow access to services like Google Docs, for example. However, Gmail is only available to existing users who can verify their control of the associated domain name. Or at least that’s what was supposed to happen. Instead, it appears that an attacker can effectively bypass the validation process entirely. Anu Yamunan, director of abuse protection and safety at Google Workspace, told Krebs that several thousand such accounts without verified domains were created before the patch was implemented. A patch should be said to have been made within 72 hours of the vulnerability being reported. It is understood that none of the domains have previously been associated with Workspace accounts or services. “The tactic here was to create a specially crafted request by a bad actor to bypass email verification during the registration process,” Yamunan said.
I’ve reached out to Google for further comment.
