Get the new PortableApps.com Platform 12.0.5. Better, stronger, faster, and prettier. Download Now or Buy on a Flash Drive
Instant access to over 300 free and legal portable apps (over 9GB) including the new Solfege (Aug 30, 2014)
PortableApps.com needs your help: Please consider making a donation today

Google Chrome forgets passwords

ratcatcher - October 30, 2009 - 8:39am
Share on Facebook

If I tell Google Chrome to remember passwords they seem to be remembered for the current session OK, but some of them are missing when I shut down and restart Chrome.

I haven't found the exact pattern but it seems to be that if you have used (or perhaps saved) the username and password in the previous session, it is remembered in the next. But previously saved passwords not used in that previous session are lost (though the URLs and usernames are generally remembered).

I have reproduced this with 3.0.195.27, Rev 2 development version and the released Rev 2 on both Windows XP and Windows 7 RC.


( categories: )

Insecure

I can't see why this is too important because Google Chrome doesn't have any password protection itself, meaning that if you lose your drive, it would be dead simple for somebody to take all your passwords. A better idea would be to use Keepass with Auto-type.

Insert original signature here with Greasemonkey Script.

I don't think we want to get

I don't think we want to get diverted into discussions of best modus operandi here.

The point is that it is a feature of Google Chrome and it isn't working correctly.

Regards

Nick

...

Yes because they probably left that out purposely because it is INCREDIBLY insecure. Like digitxp said if you lost your usb drive you could easily have any and all accounts hijacked. Based on what digitxp is saying it would be as simple as opening a file and reading the password, username, AND website they are associated with. I'd rather them leave it out. It's google's fault that they made an incredibly stupid password storage system and they should probably disable it until they are able to encrypt it somehow, but it isn't like they are gonna do that. Sad And also this is why I never use the "remember password" function in any program unless I know it's going to have a high level of encryption.
I'm hoping John could comment on this to clarify.
Thanks,
Bensawsome

 iLike Macs, iPwn, However you put it... Apple is better ^_^ 
"Claiming that your operating system is the best in the world because more people use it is like saying McDonalds makes the best food in the world..."

It hasn't been left out. The

It hasn't been left out. The functionality is there, but partially broken (it remembers passwords sometimes).

Regards

Nick

The Way the Launchers Work

I think that could be because that's the way the launchers work. We never actually touch the programs themselves--either the launcher does it for us or there's another version that means we don't have to. Don't ask me why. I don't know.

Insert original signature here with Greasemonkey Script.

passwords not portable

Working with chrome 3.0.195.27 rev2. It saves password on one PC regardless of the session, but when i plug in the USB onto another PC it does forget them. Since the idea behind a portable app is to make it exactly like the production one, it has to be like Google Chrome installed on hard drive. It would be great if Google adds a master password functionality like in Firefox (thats great for portability & security).

Not Identical

Since the idea behind a portable app is to make it exactly like the production one...

There's, CoolPlayer+ Portable, Toucan, Xenon, EraserDrop, shall I go on?
(It's amazing there were so many in-house apps...)
Anyway, it would be near impossible to make them identical the the non-portable one (i.e., there's no way to do stuff like TrueCrypt).

What is a portable app? PageAnd when you unplug the device, none of your personal data is left behind.

Okay, in that case, then yeah, Chrome Portable isn't technically a portable app.

It would be great if Google adds a master password functionality like in Firefox (thats great for portability & security).

This is Google you're talking about. They basically have every kind of service imaginable. I would guess they want you to take the 1 password approach--use all the Google stuff so that you only need one user/pass. Too bad there's no way to disable the passwords entirely. I use Keepass.

Insert original signature here with Greasemonkey Script.

30 seconds of research on where it stores them

led me to http://www.switchonthecode.com/tutorials/how-google-chrome-stores-passwords where someone has already done the hard work of looking through the Chromium source code to find how they're stored.

The simple answer is that they are encrypted using the windows CryptProtectData (http://msdn.microsoft.com/en-us/library/aa380261.aspx) API, which means that the encryption used is tied to both the exact PC and the exact user logon credentials.

In other words, we can move the ecrypted data from machine to machine, but we can never decrypt it anywhere other than on the source machine, logged in as the same user as before.

So it looks like Chrome passwords will never be portable, and Chromium/Iron/etc. passwords could only be portable if there was a change to the upstream sourcecode.

great

that a nice idea to make them ultra secure, but it does not serve the portable purpose.

Works as designed.

I don't quite understand your comment. It seems the developers of Google Chrome had no intention of making it portable, so their security choice/application design makes perfect sense.

As somebody else suggested, using Google Chrome in conjunction with Keepass would seem like a viable portable solution. (other than using a completely different browser).

Whether or not the developers

Whether or not the developers of Google Chrome had any intention of making it portable or not is irrelevant. The point is that a portable version has been produced and is NOT working as designed because one of the features of the original software is broken.

As far as possible the functionality of the PortableApps version of a piece of software should be identical to that of the equivalent non-portable version. Therefore, if at all possible, the feature should be made to work.

If that is not practical then the feature should be removed completely or disabled in such a way that it cannot be selected. Having it present but broken is the worst of all worlds.

From my limited experimentation with Keepass, it doesn't seem like a particularly convenient equivalent. It seems that one must:

1. Run Keepass.
2. Look up the URL for the site one is trying to log into.
3. Manually tell it to insert the stored username and password.

Perhaps I'm missing the obvious (as I said, I did only try it briefly) but this is far less convenient than having the username and password pre-filled (or available from a pull-down list if you have more than one login for the same site).

Being tied to a particular PC is relevant

I hadn't noticed that the non-portable (original) version of GC is broken. It always seems to remember my passwords just fine.

Perhaps, it is broken and I just missed it, I do typically use Firefox most of the time. So working on the assumption that it's broken, even if Google fixes it, if it's true that the cryptographic information is tied to a particular PC*, then it would seem there is little, to no hope of being able to produce a portable version.

Keepass has a global hotkey to auto-fill webforms, so very rarely do I have to perform all the manual steps you describe.

*As per Jimbo's post.

Confirm on Iron

Can someone confirm this with an install of Iron's zip download to be sure? I added a note to the Google Chrome Portable homepage about it.

Sometimes, the impossible can become possible, if you're awesome!

It looks like Google Chrome

It looks like Google Chrome uses the current local user account information to encrypt passwords. Once you change computers or user accounts, the passwords are thus lost. This problem can occur in non-portable Chrome if you reinstall Windows, for example, or make a new user account and attempt to copy your Chrome User Data over.

I'm not really sure there's a practical way to fix this other than A) changing the Chromium source code to do something more "portable" (and I have not had success in compiling Chromium personally, if someone else wants to try please feel free). B) file a bug with Google and maybe they'll add a switch to change the behavior to something more portable (or post a source code patch to make it 100x more likely to happen) C) work around in the launcher D) use an extension to replace the functionality.

A work around would be quite difficult and would hinge an SQLite plugin being available for NSIS (plus I'd have to sift through the Chromium source code to figure out how it encrypts/decrypts the passwords [Edit: TFTI Jimbo]).

As for D, maybe some of you guys can try this extension and see if it works any better for you: http://www.chromeextensions.org/appearance-functioning/lastpass-password...

You will need Chrome 4.0 Beta or Dev to use extensions.

Signature automatically removed for being too awesome.

lastpass

I have just installed the 4.0 Beta version of Google Portable (4.0.223.16).

Great, I thought, as this extension is intended for 4.0 beta versions.

Unfortunately when I try to "Add to Chrome" I get a box saying "Extensions are not enabled". Reading through the comments in forums, it looks as though extensions have been disabled in the current beta for some reason.

Trying to install it into 3.0.195.27 gives "Invalid value for 'permissions[0]'."

Regards

Nick

I read Google is reworking

I read Google is reworking the plugin/extension framework, so all plugins will likely have to be modified in some way to work with future versions of Chrome.

I didn't hear anything about

I didn't hear anything about a total rework. Here is what I know:

1) Plugins use the standard Netscape API that every browser (except for IE of course) uses for plugins. This hasn't changed in forever and probably won't change any time soon for compatibility reasons. I can say with certainty that Google isn't going to make Chrome require custom plugin builds.

2) Recently Google announced support for browser actions (a toolbar button that can optionally have a drop down menu) support in extensions. They are removing support for the extension toolstrip (an extra toolbar at the bottom of the window) in favor of this. Because of this, many extensions that use the toolstrip will have to be rewritten to use browser actions instead. This is likely what you are referring to.

Signature automatically removed for being too awesome.

Happy

2) Recently Google announced support for browser actions (a toolbar button that can optionally have a drop down menu) support in extensions. They are removing support for the extension toolstrip (an extra toolbar at the bottom of the window) in favor of this. Because of this, many extensions that use the toolstrip will have to be rewritten to use browser actions instead. This is likely what you are referring to.

Like Opera? Woo! I hope they let you do this with bookmarklets too...

Insert original signature here with Greasemonkey Script.

Hmm Extensions are enabled by

Hmm Extensions are enabled by default in the Dev branch, I guess not for Beta. You'll need to add --enable-extensions to the GoogleChromePortable.ini (help.html has a section on this).

Signature automatically removed for being too awesome.

If you want to do yourself a favor - Use Mashed life

After using Mashed Life's open-sourced tool do dump all my credentials from
my IE & Firefox, and my URLs from Delicious, I imported them all into Mashed Life.
All took me less than 5 minutes. I was totally blown away by that! Including its iPhone part.

And its adoption of Umikey is a big plus, making using Mashed Life event easier
and safer. I no longer need to even type the URL! And I can securely log in from an
insecure PC, on an insecure network.

Just my personal 2 cents to share with the portable community

Steve