How secure is Chrome storing a password?

Chrome not only stores your password text, it will show it to you. Under settings -> advanced -> manage passwords you can find all your passwords for all your sites. Click show on any of them and it will appear in the clear.

Hashed passwords work for the site authenticating you. They are not an option for password managers. Many will encrypt the data locally, but the key will also be stored locally unless you have a master password setup.

Personally, I use the chrome password manager and I find it convenient. I also, however, have full disk encryption and lock my screen diligently. Which makes the risk reasonable imho.

You seem to be inconsistent (many are) by both selecting memorable passwords and using a password manager. And I may venture to guess you may even repeat the password or at least the theme across many sites. This gives you the worst of both worlds. You get the risks of password manager without the benefits.

With a password manager you trust, you can give each site a unique random password not memorable at all and gain a lot of protection from many very real attack vectors. In exchange for a single point of failure of your password manager. Even with a less than perfect password manager this isn't an unreasonable trade off. With a good password manager this is becoming the consensus best practice.

Edit to add: please read Henno Brandsma answer explaining how login password and OS support can be used to encrypt passwords, this gives a reasonable level of protection to your passwords when the computer is off/locked (full disk encryption is better) and won't help much if you leave your computer unlocked. Even if the browser requires password to show plain text debug tools will still let you see already filled passwords as @Darren_H comments. The previous recommendation still stands use random unique passwords and a password manager.


Chrome (under Windows) actually does encrypt the passwords when stored. But it does it in a way that only someone knowing your login password (or hijacking your login session) can actually use or view the stored passwords. This is well-documented (it uses the so-called Data Protection API (DPAPI), which is in Windows from NT 5.0 (i.e. Windows 2000) onwards, which nowadays uses AES-256 to encrypt the password data). Google believes that this is enough security, because it has the same level of protection as your whole login. On the Mac or Linux they use the native keychain technology to protect a special Chrome master password, achieving the same effect, essentially. Read the sources for all the details...

Edge and IE (available on Windows only of course) also use this technology, BTW, under a wrapper called the Credential Store, in recent versions of Windows (and before that they used DPAPI data stored in the registry). For more info on DPAPI, see here, e.g.

See https://github.com/byt3bl33d3r/chrome-decrypter for an example on how people extract stored password data, knowing your login credentials.

Recently on Windows the system changed to a system more like the MacOS one: one 256 bit masterkey is stored (in a separate file called Local State in the app directory, base64 encoded and represented in JSON) as a DPAPI secret again and each password item is then a hex encoded, AES-GCM encrypted entry in the sqlite database in that same directory (all under that master key, but each with its own 12 byte nonce, and a 16 byte tag to protect integrity). So still it eventually depends on the user password credentials. Once the user password (or rather its SHA1 hash) is known, all entries are decryptable. As said, this is by design. Even Microsoft's Edge (Chromium edition) uses this system now, as claimed in this blogpost.


Please, please, please stop reusing your passwords!

In Firefox you can actually set a master password which will protect your stored passwords from being viewed. This master password will also be required once per session before the browser will start filling in passwords for you.

You could also use a general purpose password manager for example Keepass.

Anyway, for most people the danger of losing a password because one site got hacked is greater than losing it on their own computer. That's because an attacker with access to your computer has many other options for attacking you. One of the main benefits of using a password manager is that you don't have to manually enter the password anymore so you can actually pick completely random and secure passwords.

If you have been reusing passwords for a while there is a neat site for checking some of the more prominent breaches to see if you have been affected: https://haveibeenpwned.com/

If you have to use many different machines you can consider using something like Keepass2Android on your phone.