Google Password Manager Review: Why You Need a More Advanced Alternative
July 31, 2023
Whether you use Google Password Manager to keep track of your passwords and secure your accounts or are considering using it, you should read our Google Password Manager review.
Although it recently received several new upgrades, our security experts found that Google Password Manager still lacks important security features. It also works only in Chrome, so it’s only suitable for Chrome users and those willing to be locked into the Google ecosystem. If you prefer a different browser or use multiple browsers on desktop and mobile, you’ll want to look at other options.
But even power Chrome users may want to reconsider relying on Google Password Manager. All browser-based password managers, including Google Password Manager, are not secure enough. But standalone password managers aren’t a great alternative either (we have discussed their shortcomings in a previous blog post). To solve this problem, we created IronVest.
Whether through social engineering, malware, credential stuffing attacks, or software vulnerabilities, even the best password managers can be hacked, creating a single point of failure vulnerability to all of your passwords and account logins.
But not IronVest.
IronVest offers the best of password managers (password generator and storage, autofill, password checkup, etc.) while also including additional, must-have security and privacy features like zero-knowledge decentralized architecture, continuous biometric fraud prevention, MFA protection, masked emails, virtual cards, and more.
Let’s take a closer look at what password management in Google Chrome looks like and why IronVest is a more secure alternative.
In this guide, we cover:
What Is Google Password Manager?
Google Password Manager is a free password manager solution built into Chrome and all Android apps.
Chrome password manager has features like a password generator, password checkup, and password autofill, but it is only suitable for people who use Chrome as their primary browser.
Is Google Password Manager Safe?
The short answer is no.
The longer answer is that password managers are generally not safe. Built-in password managers (i.e., password managers that are part of a browser by default) like Google Password Manager are particularly susceptible to being hacked and abused via information-stealing malware.
Here’s why Google Password Manager isn’t the best option from a safety and privacy perspective.
Lack of transparency around encryption
It’s hard to trust solutions that hide how they work. Exploring Google’s support documentation, we struggled to find information about how exactly Google Password Manager keeps your passwords safe beyond the claim that it uses “advanced security” and encryption.
Digging a little deeper into Google’s documentation, we found another section where Google says it encrypts usernames and passwords with a secret key that’s only known to a user’s device. However, this still did not elaborate on the kind of encryption used.
We also had to enable on-device encryption ourselves, which first involved finding this option in Settings. Here we were warned that if we lost our key, we’d likely lose our passwords, too.
Data is decrypted using user account information, which isn’t very secure. If your Google account is breached, there’s a high chance your passwords will be compromised, too.
User passwords are left vulnerable to hackers, who can use techniques like drive-by-downloads or social engineering to install malware on your device and steal your sensitive data, including passwords.
For example, the nefarious RedLine Stealer, an information-stealing malware, targets login data stored in web browsers like Chrome. As long as it’s logged in as the user, the malware can extract passwords from browser profiles.
Malware like this can be bought on cybercrime forums for just $200 and requires little knowledge or effort to use. Hackers that steal credentials this way usually use them for other attacks or sell them on the dark web.
Here's a video walk-through showing how easy it is to extract plaintext Google Chrome passwords:
What’s also worrying is that even users who don’t use Google Password Manager are still at risk.
As AhnLab Security Emergency Response Center (ASEC) points out, when users choose not to store credentials in the browser, browser password management systems like Google Password Manager add an entry indicating that a specific website is “blacklisted.”
Hackers may not be able to see your credentials for the site, but they will know that you have an account there. They can then try to break into that account using techniques like credential stuffing or social engineering.
IronVest offers comprehensive account security and privacy.
IronVest protects users through a unique combination of bank-grade security, zero-knowledge architecture, decentralized biometric fraud prevention technology, and biometric 2FA protection. You can read more about our security solution on our security page.
The bottom line is: even if a criminal cracks or steals your passwords, they still wouldn’t be able to log into your accounts protected with IronVest.
To ensure that you don’t suddenly lose your passwords, IronVest gives you a Backup Passphrase. We also give you the option of biometric backup, which involves IronVest releasing your passphrase only after biometric authentication.
Users can also share their Backup Passphrase with those close to them as a digital legacy option - something that Google Password Manager is missing.
When you use a new device to log into your Google account, Google verifies that you are who you say you are through two-factor authentication (2FA). But we noticed that you don’t have to verify yourself through 2FA before accessing your passwords.
IronVest protects your passwords and accounts with two-factor authentication and 2FA protection.
IronVest’s 2FA protection feature tokenizes your credentials and routes them through IronVest’s security virtual phone number, which is only released when you authenticate yourself biometrically. This prevents cybercriminals from accessing your IronVest account through attacks like SIM swap.
IronVest’s 2FA protection isn’t limited to the IronVest platform. You can use it to protect all your online accounts.
For example, if you have IronVest’s 2FA protection feature enabled on your bank account, the 2FA code won’t go to your personal phone number. Instead, it will go to IronVest’s virtual phone number. IronVest will then automatically fill the 2FA code on your behalf once it authenticates you through biometrics.
Currently lacks biometric authentication
Google is talking about introducing a biometric authentication option to Google Password Manager, but this hasn’t happened yet. Although a biometric option is supposed to be already available on Android and iOS devices, in our experience, we couldn't find this function anywhere.
If and when Google Password Manager adds this feature, users will need to decide if they are comfortable with their biometrics being stored by Google due to privacy concerns.
IronVest’s decentralized biometric authentication is available on both desktop and mobile. You can also enable it on every online account you own.
IronVest users can enable biometric account protection on both their IronVest account and any other online account they may have.
Rather than authenticating you biometrically at login only, IronVest verifies your identity even after you log in, like when making a sensitive transaction in your bank account, to make sure that it is really you and not someone else trying to make a sensitive financial transaction.
IronVest’s decentralized infrastructure means that users’ biometric data is spread through several secure nodes and isn’t accessible to anyone, not even IronVest.
Like most big tech companies, Google doesn’t have the best track record when it comes to user privacy. Unsurprisingly, this can be a turn-off for many people. It is for us, at least.
Is Google Password Manager Convenient?
Yes and no.
We found that Google Password Manager is convenient in the sense that you can save, generate, and autofill passwords straight from your Chrome browser without having to install anything or set up an account with a standalone password manager.
On the other hand, it also struck us that Google Password Manager is going to be awkward for many people to use. One of the main reasons why is that it only works on Chrome, a browser not everyone uses. In many cases, people use multiple browsers across devices.
Although you can see and edit your passwords from any browser and device by signing in to Google Password Manager’s online dashboard, some of the really important features, like autofill, only work in Android and Chrome browser (including on iOS). This means that if you use Google Password Manager, you are effectively locked into the Google ecosystem.
Even when you use Chrome across devices, the password manager may not always sync your passwords. The reasons for this may vary from not having the latest Chrome version to forgetting to enable password sync.
Some people have also reported losing all of their passwords after updating/restarting their Chrome browsers. Given that there are entire articles written on how to get them back, this seems to be a common problem.
Another thing we didn’t like about Google Password Manager is that it does not walk you through how to use it or even find it. If you’re a Chrome user, you may not even be aware that this feature exists and may be using Google Password Manager without knowing it, which, as we mentioned already, could put your accounts at risk.
IroVest is universally compatible.
IronVest’s browser extension and app are compatible with most operating systems (including Windows, Mac, Linux, iOS, and Android phones and tablets) and all major browsers. Data syncing is seamless between mobile and desktop.
When you get started with IronVest, we walk you through the platform so that you can make the most out of all the features available.
Google Password Manager Features
Google Password Manager includes the following features:
Google Password Manager saved our passwords when we first entered them on a site. It was also possible for us to save several username and password combinations for the same site, which is handy if you have multiple accounts.
We were able to manage our passwords in passwords.google.com. When we tried to change a password directly on a site, we saw a popup from Google Password Manager asking if we wanted to update this information.
Important caveat: Storing passwords in a browser isn’t secure and increases the risk of criminals accessing your credentials.
IronVest offers secure password storage. IronVest asks if you want to save your passwords when you sign up/log into a site that isn’t yet saved. You can save multiple passwords for the same account. Passwords are protected with bank-grade security, decentralized biometric fraud prevention technology, biometric 2FA protection, and a zero-knowledge decentralized architecture.
Google Password automatically filled in passwords and addresses when we logged into sites where we had already saved our credentials and personal information with Google Password Manager on. For multiple accounts, Google Password Manager let us choose between them when logging in.
The risk is that anyone with access to your computer can log in to your stored accounts. This is a serious vulnerability.
Important caveat: Your passwords won’t autofill on other browsers, like Firefox or Safari. Also, in our experience, finding where to update autofill information was a challenge. Your best bet is to do so when filling out a form (click “Manage Addresses”). Otherwise, you’ll need to go to your Google account settings.
IronVest auto-fills your credentials and identity profiles. IronVest can fill in your passwords, identity profiles, and real or masked credit card details in any browser or mobile app.
Password autofill makes it easy to log into your accounts regardless of what browser or device you’re on.
Identity profile autofill makes account creation faster. Here, you can add the information you want IronVest to automatically fill in on your behalf when you encounter an online form, including preferred username, gender, date of birth, Driver’s Licence, Social Security Number, company name and position, and website URL.
Masked identity profile autofill helps you take control of your online privacy. For example, you can set it up so that IronVest automatically fills in your masked email rather than your actual email address when filling out a form online. You can do the same for your name, phone number, and address. You can also select IronVest to create masked cards automatically in your identity profile setup.
For extra security, you can set up IronVest to autofill passwords, virtual cards, and other information only when it authenticates you biometrically.
Updating autofill information is easy. To do so, all you need to do is go to your IronVest dashboard.
One feature we liked was that we could ask Google to check if any of our passwords had been compromised or if any of our credentials are reused or weak.
IronVest notes if your passwords are unique or reused. It also lets you know when you created passwords so that you can periodically change them.
When creating a new password, users can click a key icon to get Google to generate a unique password for them.
If you choose to go with the password Google creates for you, it is automatically saved to your Google Password Manager.
Important caveat: Google’s password generator is not customizable. You can’t change the suggested password; for example, make it shorter or longer or add/remove symbols or special characters.
IronVest is customizable. IronVest generates secure passwords and allows users to customize them, as well. By default, IronVest creates passwords that are 10 characters long and consist of letters, mixed cases, numbers, and symbols, but users can reduce or increase password length and deselect the use of special characters and/or numbers.
Promised biometric authentication
Google Password Manager does not currently offer biometric authentication.
Although biometric authentication is supposed to be available on Android and iOS devices, we could not find this feature anywhere.
Google is now saying it will introduce biometric authentication to desktops, too, but this has not yet happened, and there is no indication as to when it will. When it does, users may be wary of using this function due to Google’s less-than-stellar history of failing to protect its users' privacy.
You can use IronVest everywhere. IronVest’s biometric authentication is available:
On desktop and mobile.
On IronVest and all other online accounts.
During post-login sensitive actions rather than just at log-in.
In a recent upgrade, Google Password Manager introduced secure notes. This means you can add information next to your credentials when you save them in Google Password Manager.
IronVest allows users to save notes with each password. Plus, all notes are encrypted.
Google Password Manager users can import passwords through a CSV file.
IronVest imports passwords from CSV files and multiple password managers and browsers.
IronVest users can import passwords from NordPass, 1Password, Bitwarden, LastPass, True Key, KeePass, Dashlane, PasswordWallet, and RoboForm, plus browsers such as Chrome, Firefox, Safari, Brave, Opera, and Microsoft Edge. Additionally, IronVest allows password importing through CSV files.
Google has an FAQ section as well as a help forum or “Community” where users can ask questions. There’s also live chat, phone, and email support. We were unimpressed by Google Password Manager's lack of dedicated support.
IronVest has dedicated support. IronVest has multiple customer support options, including a help center and knowledge base, email, and live chat (the latter is available to Plus and Ultimate users).
Does Google Password Manager Have Any Additional Privacy Features?
It is relatively common for password managers to offer users extra features, for example, masked email addresses. Google Password Manager does not have any additional privacy features.
IronVest has the following bonus features:
With IronVest’s masked emails, you can hide your actual email address. Users can create completely random emails (for example, email@example.com) or email addresses that look real (for example, firstname.lastname@example.org).
Since websites sell your email addresses, a masked email can help you reduce how much spam you receive and minimize the risk of your email being used to scam you or brute force your online accounts.
Emails that come to your masked address are forwarded to your real email inbox, and you can also send emails using your masked address.
Through the IronVest dashboard, users can see where they’ve used masked emails and the forward addresses for each. Toggling off forwarding is easy and means you will no longer get emails from that specific sender.
Virtual phone numbers
IronVest’s masked phone numbers can forward calls, texts, and voicemails to your actual phone number. No one ever sees your real number. You can also use your IronVest masked number to make calls.
You can see everyone who has called your masked number via the IronVest dashboard. You can also switch off forwarding to stop getting calls from a specific caller who will be told your number is unavailable.
IronVest’s masked phone number also acts as your 2FA security number. Rather than going to your actual phone number, your MFA codes will instead go to the secure IronVest masked number and only be released when you authenticate yourself biometrically.
Virtual credit cards
With IronVest’s masked cards, you can hide your actual debit or credit card number. If you use virtual cards, the merchant won’t know your real card number, which significantly reduces your chances of falling victim to financial fraud in case of a data breach or doing business with a scammy website.
IronVest’s web tracker blocker stops website trackers from snooping on you.
How Much Does Google Password Manager Cost?
Google Password Manager is free, just like Chrome, the browser it’s on. However, it lacks many features we expect to see in a typical password manager.
IronVest has three different pricing plans, including a free version:
IronVest Essential is free. No credit card is required to sign up for this plan.
IronVest Plus is $5.95 monthly/$39 yearly.
IronVest Ultimate is $14.95 monthly/$99 yearly.
All IronVest Essential users get a 30-day free trial of IronVest Plus. Sign up for IronVest today.
Unlike Google Password Manager, IronVest goes beyond password management features. Our platform also offers biometric account authentication, 2FA biometric protection, masked emails, virtual debit and credit cards, masked phone numbers, secure credit card storage and autofill, website anti-tracking, secure notes, and real/masked identity autofill profiles.
Are Standalone Password Managers Better?
Standalone password managers are better than browser-based password managers. But, as we explain in another blog post, dedicated password managers can still be abused.
Here are some recent headlines on password manager breaches:
LastPass data was stolen by hacking an employee's home computer (The Verge)
Norton LifeLock says thousands of customer accounts breached (TechCrunch)
Bitwarden users at risk after potential phishing scam discovered (TechRadar)
KeePass Exploit Allows Attackers to Recover Master Passwords from Memory (The Hacker News)
Some Popular Password Managers Found to Auto-Fill Passwords on Untrusted Websites (NetSec.news).
Why You Should Use IronVest for Account Security
IronVest’s account protection doesn’t rely on you having strong passwords. A cybercriminal could get their hands on your credentials or trick your telecom provider into transferring your phone number to their SIM card to steal your MFA code, and your accounts would still be secure.
The reason why is that strong password generation and storage is just a small part of what IronVest does.
As a comprehensive privacy and security solution, IronVest goes beyond standard password manager features to also provide:
Continuous biometric authentication for all your online accounts.
2FA protection for all your accounts.
Zero-knowledge, decentralized infrastructure.
Masked email addresses to prevent attacks like password cracking, phishing, and spam.
Virtual cards to reduce financial fraud.
Masked phone numbers to minimize phone scams.
Web tracker blocker to stop the collection of your personal information that is then sold to data brokers and other third parties.
Ready to give IronVest a go? It’s totally free to get started with.