Why password managers are your safety net during a data breach
In this age of widespread cyberattacks, it seems like there’s a new data breach in the news every day, and these breaches are particularly alarming when they affect the services you rely on to protect your information in the first place — particularly if it’s something like a password manager. Events like these may cause you to question whether certain security tools, such as your password manager, can be trusted.
The reality is, password managers remain among the best ways to stay safe online. This is why we built Google Password Manager right into Chrome and Android, letting you access all the passwords in your Google Account across devices — so that you don't have to go through the steps of downloading a separate app. So in honor of Safer Internet Day, we want to clear up some misconceptions and take a look under the hood of Google Password Manager to help you understand why it’s the safer way to sign in to all of your online accounts.
Password managers: a secure “basket”
One of the most common objections to password managers — particularly in light of data breaches or vulnerabilities — is the old proverb against keeping “all your eggs in one basket.” With wicker baskets it may make sense to diversify, but when it comes to authentication credentials, a better metaphor is “keeping your money in the bank.” Like physical banks, Google Password Manager uses multiple layers of security to protect against even the most persistent attacks.
First, Google Password Manager is integrated into Android devices and Google Chrome. On each of these platforms, access to your passwords is protected across the full lifecycle: from creation, to storage, to autofill.
Second, your saved passwords are kept safe with the same advanced security we use to protect everything in your Google Account — like your emails, photos and docs. We’re constantly innovating to ensure our protections stay a step ahead of evolving threats, and you can be assured that your passwords are benefitting from the same advancements.
We also provide easy ways for you to enhance the security of your Google Account by taking the Security Checkup, enrolling in 2-Step Verification (2SV), and if you’re a high-risk user, using our Advanced Protection Program (APP).
Autofill is phishing-resistant
Google Password Manager powers autofill on Android and Chrome, which in addition to convenience, also provides an important layer of phishing protection.
Phishing often involves tricking people into typing their password on a deceptive sign-in page (like a lookalike bank sign-in page that uses the number “1” instead of the letter “l”). Google Password Manager’s autofill removes this risk by directly matching the domain name itself: only if it determines the site is real will it allow your password to be autofilled.
Autofill from the Google Password Manager works automatically to sign you in on any website or app: Android apps, websites on any device, and even iOS apps if you install Chrome on your iPhone or iPad.
Automatic breach detection
In addition to securely storing passwords and filling them only on legitimate sites and apps, Google Password Manager has another trick up its sleeve to protect against breaches. Password Checkup, which checks more than one billion passwords for breaches every day, is available both in Chrome and as part of the Security Checkup. Whether you explicitly run a checkup, or in the moment as you’re signing in to a page, Google will warn you if your username and password are identified as weak, or known to have been compromised in a data breach on some external site or app. Password Checkup is critical to keeping your passwords secure, and, as with all of our products, it’s private by design. Using Protected Computing, the Google Password Manager is able to perform these breach checks while ensuring that no one but you can access your passwords.
A passwordless future
Building authentication solutions that are secure and easy to use is a massive challenge. Thanks to years of engineering investment — in our Password Manager, 2-Step Verification, security keys, and the FIDO and Webauthn standards — we’re now leading the industry toward a future without passwords on Android, Chrome, and beyond. And yesterday, we announced the alpha release of Credential Manager on Android, which allows app developers to simplify their users' authentication journey, while also increasing security with support of passkeys.
Backed by public-key cryptography, passkeys are both more secure than passwords (think of them like a 1000-letter password stored in secure hardware) and more convenient (they require just a biometric swipe to securely sign you in on any device). Passkeys are stored in the Google Password Manager and protected with the same industry-leading on-device encryption, providing the safest experience and improved convenience.
Tying it all together: Safer with Google
With the interconnectedness of everything online, authentication and account security are paramount for staying safe. From social networks and games to grocery delivery and even an app that tells you when it’s safe to take a bathroom break during a movie, hardly a day goes by without signing up to try a new app or website; keeping you safe on all of them is a priority across everything we do.
Password managers are an important part of your online security arsenal, both for today’s passwords and tomorrow’s passkeys, and with Google Password Manager, we are committed to keeping all your credentials safe, convenient and secure. If you use Chrome or Android, you already have it — get started at passwords.google today! It’s just one of the many ways we’re making every day Safer with Google.