The horror of trusting Google with your passwords

15 points by im_jerry87 ↗ HN
I had a little panic attack today while trying to log in to my work.

I'd like to share the story here so that people just stay away from Google's password manager.

I use Bitwarden for all of my important passwords like that of my bank, Google, and Apple accounts.

But for the ones I'm required to sign out every day like Work, I used to save my pwds in Chrome's password manager as it's my default browser.

My company requires changing pwds every 90 days or so. I changed pwds for Citrix and my Company's portal a few weeks ago and saved them in Chrome. And, I've been logging into work using the same until this morning.

Today, I tried to sign into my work as usual, but authentication failed. That's weird, so I thought my 2FA got screwed up. I use WinAuth on my work computer. So, I tried getting codes from Authy installed on my mobile. Still, authentication failed.

So, I go check my pwd in Chrome and to my absolute disbelief, the passwords got changed to old ones. I remember old pwds 'cause they were not that strong and I had easy-to-remember passwords. Only the last time, I picked strong pwds. I also check Citrix, same story. The password got changed.

I immediately reached out to the phone wishing sync somehow failed and I would see my latest pwds, but no.

Luckily, I generated both of these pwds using Bitwarden's password generator and I found out today it saves a history of the most recently generated pwds. And, I was able to get these passwords from there using trial and error. I didn't generate too many pwds recently, so I took only a few tries. Bitwarden saved my ass today.

I felt so dumb for not saving generated pwds then and there in Biwarden. I trusted Google's solution to be reliable. Learned my lesson today. I also plan on keeping my pwds at sync in 2 places. Maybe in iCloud as a backup for Bitwarden.

Always have a backup of your passwords, people.

4 comments

[ 4.5 ms ] story [ 19.2 ms ] thread
I've been using Google Passwords for 10+ years and have never had this issue. Are you sure you didn't forget to save them or that the company has bad enough change vs login pages that they look different to Chrome? I've had issues with the second case, where the new password will be saved for a different page because websites are bad.
Me too. But I changed these passwords many weeks ago and I have been using Chrome's auto fill to login ever since until today. I was on-call even yesterday. So, I'm quite positive that it was Chrome. The only difference today was I updated Chrome before trying to log in. That was it.
Google's password sync is not always 100℅. And it is Best Practice to Always save passwords in at least two different secure locations Have a nice day.
I feel you yesterday I switched to a more privacy focused OS on my Pixel. I encrypted my passwords before sending to google servers so went I went to there website to export my passwords it wouldn't so I was stuck. Thank goodness I was signed in with my iPad using chrome browser because I could copy and paste one by one. So needless to say I moved to bitwarden. My fault for not exporting first but wow what a Job.