Forbes Estimates Google's Chrome Temporarily Lost Millions of Saved Passwords

An unexpected disapperance of saved passwords "impacted Chrome web browser users from all over the world," writes Forbes, "leaving them unable to find any passwords already saved using the Chrome password manager." Newly saved passwords were also rendered invisible to the affected users. Google, which has now fixed the issue, said that the problem was limited to the M127 version of Chrome Browser on the Windows platform.

The precise number of users to be hit by the Google password manager vanishing act is hard to pin down. However, working on the basis that there are more than 3 billion Chrome web browser users, with Windows users counting for the vast majority of these, it's possible to come up with an estimated number. Google said that 25% of the user base saw the configuration change rolled out, which, by my calculations, is around 750 million. Of these, around 2%, according to Google's estimation, were hit by the password manager issue. That means around 15 million users have seen their passwords vanish into thin air.

Google said that an interim workaround was provided at the time, which involved the particularly user-unfriendly process of launching the Chrome browser with a command line flag of " — enable-features=SkipUndecryptablePasswords." Thankfully, the full fix that has now been rolled out just requires users to restart their Chrome browser to take effect.

ironic in some ways

[Big Hairy Gorilla]

that "Logging into a website", something that is arguably trivial, is one of the main reasons tech companies own you.

The concept of "logging in", basically equivalent to a light switch, which is either on or off, is conceptually beyond the understanding of a large cohort of people. To be fair Big Tech is "updating" our hardware and software as fast as possible to remove on/off from the lexicon, because it tilts the device experience towards control by the manufacturer and away from the consumer.

Secure password management should have been built into the hardware from the beginning.

Re:

[Anonymous Coward]

With the benefit of hindsight, the standard HTTP authentication mechanism should have used or have been updated to use an augmented PAKE algorithm. This would break basic phishing since you can't impersonate a server without password-related data: the phisher would first have to get leaked data from the legitimate site to be able to impersonate it. And sniffing would also be useless.

Re:

[Big Hairy Gorilla]

Logging out is being removed from ... most things... I noticed a logout function is missing in Signal and WhatsApp in recent updates.

In the case of hardware, it's like Google saying they will remove 3rd party cookies... sounds like it's pro-consumer, pro-privacy.. Right? Wrong.

They are removing any semblance of "off"... so in the end it means BIG G gets data from you even when the thing is off (because in reality it's always on), and they get to keep ALL the data and monetize it.

It's a Win/Win for Google an

They're not lost

[Rosco P. Coltrane]

Google probably has a copy.

Re:

[Robert Goatse]

You're most likely right. In this instance, I believe the browser still had the passwords, but you couldn't see them in the Google Password Manager, or whatever it's called. I just ran a Chrome update and magically my saved passwords are back.

Fun Tims ahead

[jmccue]

Between this and Crowdstrike, I can see the masses never allowing an update to Windows again.

I already know people who complain loudly about updates. So I guess the next step is for them to stop updates all-together.

Updata of an old concept

[jenningsthecat]

"Those who would give up essential Security, to purchase a little temporary Convenience, deserve neither Security nor Convenience".

I suppose it's possible that KeePassX could fail and I'd lose all my passwords. I suppose it could somehow fail so badly that I couldn't even retrieve passwords from my backup files, although it's hard to see how. But I'd never trust a browser, of all things, to be ANY kind of password keeper, much less my ONLY password keeper.

That brings us to another point: if you're gonna risk hanging your passwords out in public by entrusting them to Big Tech, at least have the sense to keep local backups. How embarrassing would it be to have to ask Google, for example, to give your shit back?

Re:

[AmiMoJo]

This is ridiculous. A temporary glitch that was quickly rectified, no data lost, and it has supported backing up your passwords (locally and in the cloud) since the very early days. It's absolutely no worse than Keepass, beyond the additional levels of authentication and encryption available in that app, which most users won't use.

The Chrome and Firefox password managers have done a lot to improve security online. They generate strong passwords and keep them securely, with cloud sync option because most peo

Re:

[jenningsthecat]

Mostly stuff I hadn't known - thanks.

Re:

[itsme1234]

If you have backups (which you should if using anything like keepass, otherwise you'd be starting from scratch every time you have some storage failure) then you have backups of your browser passwords too as they're saved locally in you user profile.

"Chromestrike" will happen

[xack]

Chrome's influence on computers is more than Crowdstrike was. It is only a matter of time before a "we messed up" update happens to Chrome. Probably as a conflict with their drm/anti-adblock code goes wrong and false positives' the whole browser into corrupting itself. I already had to deal with Firefox breaking itself back with the addon outage, Chrome's outage will impact a lot more people. Chrome is the de-facto central point of failure on the web, and it will only take a missing semicolon somewhere to mess it up.

Re:

[gweihir]

On the plus side, Chrome is not involved in the boot process and cannot (except intentionally) prevent system boot after crashing it. That puts it in line with the usual crapware software makers push out these days and does not even merit a footnote in the history of computer security.

Re:

[Calydor]

Uniroincally, if Chrome fails HARD you can download a fix (once it's been made) via Edge. No different than Windows coming bundled with Internet Explorer (now Edge) so you could download Firefox or Chrome.

This is why I keep backups of PWs...

[ctilsie242]

Every so often, I, stick in a USB flash drive [istorage-uk.com] into the machine. Because I don't trust BitLocker encryption, the drive is also protected by VeraCrypt, and even if the hardware encryption is "sus", it does protect against brute force attacks, so someone finding the drive likely will try codes until it permanently locks, goes to the website to reset the drive, and now has a freebie drive... hardware loss, but the data is well out of their reach.

From there, I export all passwords to the drive, as well as keys like my .gnupg directory, .ssh directory, ~/.config/borg/keys directory, and other items. To keep things sane, I have a few of these drives, and use a GFS rotation with a drive being offsite.

This ensures that if something happens to a PW or a TOTP key, I can recover. I learned this the hard way when a sync service corrupted all my passwords. Were it not for an offline iPod Touch, I would have lost pretty much everything.

Re:

[Bongo]

Words of wisdom. And experience.

Why Chrome on Windows?

[Mononymous]

I've never understood why any user would install Chrome (except that brief period when it was the only way to stream Netflix on Linux).
It doesn't come pre-installed on any OS not made by Google, so you have to go out of your way.
If you're already using Windows, you're already fine with Microsoft spying on you and advertising to you.
Why not just use Edge instead of adding Google to the pile?
What gets Windows users to install Chrome?

Re:

[markdavis]

>"What gets Windows users to install Chrome?"

Consistency?
Habit?
Advertising?
Documentation recommendations?
Outdated misinformation?
Corporate overlords?

>"Why not just use Edge instead of adding Google to the pile?"

Why not use Firefox and kick both Google AND Microsoft off the pile? And, at the same time, it supports real browser diversity so we are less likely to have things taken-over by these monster monopolies.

Monoculture

[markdavis]

>"An unexpected disappearance of saved passwords "impacted Chrome web browser users from all over the world,"

Welcome to the Chrom* monoculture. If you think this is bad, wait until there is some explosion in the base chromium that all these non-Firefox "alternative" browsers all use that will affect all the Chrome AND Chrome-based (Chrom*) browsers as well.

Google is not doing us any favors....

https://www.mozilla.org/en-US/... [mozilla.org]