Google has expressed its regret following a bug that affected a substantial number of Windows users, preventing them from accessing or saving their passwords. This issue, which arose on July 24 and persisted for nearly 18 hours until it was resolved on July 25, was attributed to “a change in product behavior without proper feature guard.” This explanation may resonate with those familiar with the recent CrowdStrike disruption.
The password visibility problem impacted Chrome web browser users globally, leaving them unable to retrieve any passwords previously saved through the Chrome password manager. Newly saved passwords also became inaccessible to those affected. Google confirmed that the glitch was confined to the M127 version of the Chrome Browser on the Windows platform.
How Many Google Users Were Impacted By The Chrome Password Vanishing Act?
Determining the exact number of users affected by this password manager issue is challenging. However, considering that there are over 3 billion Chrome web browser users, with Windows users constituting the majority, we can estimate the impact. Google reported that 25% of the user base experienced the configuration change, which translates to approximately 750 million users. Of these, around 2% were affected by the password manager issue, suggesting that roughly 15 million users encountered the frustrating disappearance of their passwords.
Chrome Password Manager Disruption Is Now Fully Fixed
During the disruption, Google provided an interim workaround that involved a rather cumbersome process: launching the Chrome browser with a command line flag of “—enable-features=SkipUndecryptablePasswords.” Fortunately, the complete fix now requires users to simply restart their Chrome browser. In a message of appreciation for user patience, Google stated, “We apologize for the inconvenience this service disruption/outage may have caused.” Users who experienced issues beyond what has been described are encouraged to reach out to Google Workspace Support.
How To Use Google’s Chrome Password Manager
Accessing Google’s Chrome password manager is straightforward. Users can navigate through the browser’s three-dot menu by selecting Passwords and Autofill, followed by Google Password Manager. Alternatively, the password manager Chrome app can be installed from the password manager settings, allowing direct access from the Google apps menu. If Chrome prompts for password autofill, selecting manage passwords will also lead users directly to the manager.
For those currently using a standalone password manager and considering a switch to Google’s offering, the transition is relatively simple, though it’s advisable to maintain a separate service for enhanced security. To migrate, download your passwords from the other application as a .CSV file, ensuring the format is correct with three column names: url, username, and password. Once verified, navigate to passwords.google.com in Chrome, select Settings|Import, and choose your password file. It’s crucial to delete the .CSV file from your device afterward to safeguard against unauthorized access.
While the Google Password Manager is user-friendly, it may not be the most secure option available. Utilizing a password manager significantly reduces the likelihood of reusing passwords across multiple accounts or resorting to easily guessed passwords. Dedicated password managers often offer additional security features, such as two-factor authentication, robust password generation options, and enhanced security measures. For instance, 1Password employs end-to-end encryption for data in transit, 256-bit AES encryption, and other advanced security protocols to protect user data.
The Google Chrome password manager can also implement on-device encryption if configured accordingly. Users are advised that once on-device encryption is set up, it cannot be removed. However, with this setup, users can unlock their passwords or passkeys using their Google password or the screen lock on compatible devices.
Passwords Are Not The Only Google Security Measure That Went Missing Recently
In addition to the password issues, cybersecurity expert Brian Krebs reported that email verification for new Google Workspace accounts also faced disruptions. This authentication flaw, which has since been resolved, allowed malicious actors to bypass the email verification process necessary for creating Google Workspace accounts, enabling them to impersonate legitimate domain holders on third-party services. This impersonation granted access to various services, including Dropbox.
The issue appeared to be linked to Google Workspace’s free trial offerings, which provide access to services like Google Docs. However, Gmail access should have been restricted to existing users who could validate their control over the associated domain name. Unfortunately, attackers were able to circumvent this validation process. Anu Yamunan, director of abuse and safety protections at Google Workspace, revealed that a few thousand non-domain verified accounts were created before the vulnerability was addressed, with a fix implemented within 72 hours of the report. The tactic involved a specially constructed request that allowed bad actors to bypass email verification during signup.
Further comments from Google are awaited regarding these recent security challenges.
