← Password Managers
F

Google Password Manager

Fail
Google · 🇺🇸 United States
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: com.google.android.gms
Manufacturer: Google LLC

⚠️ The bottom line

Google can read your passwords. By default, your saved passwords are encrypted with keys Google holds. A rogue employee, a government order, or a breach could expose every password you've saved. The 'on-device encryption' toggle exists but almost nobody finds it. The company that makes $265 billion selling ads stores every password you own. Their privacy policy lets them use your data to 'improve services and develop new ones.' Your banking password lives next to their ad targeting engine.

Legal jurisdiction
🇺🇸 United States (headquarters)
CLOUD Act read more →
US govt can demand your data from this company even if stored overseas
FISA §702 / PRISM read more →
NSA collects stored emails, photos, messages without individual warrants
Geofence warrants read more →
Police can demand location data for everyone near a crime scene
Spying
3/4 HIGH
Is someone spying on me?
Data Sharing
3/4 HIGH
Who gets my data?
Security
3/4 HIGH
Is it actually secure?
Honesty
4/4 EXTREME
Can I trust what they say?
REPLACE Extreme risk. Look for alternatives or lock down hard.
Use KeePassXC or Bitwarden instead
Zero cloud/zero telemetry (KeePassXC) or open source (Bitwarden)
See report →
7Contradictions
3Critical
3High
1Medium
3Sources
Findings by concern
Spying 3/4 HIGH 3 findings
⚠️ criticalfirmware analysis vs regulatory findings
Your password manager shares a process with Google Play Services — the same app that tracks your location, reads your SMS, accesses your camera, and serves ads. It has the AD_ID permission. No other password manager is bundled with an advertising SDK.

What they claim: Google Password Manager is embedded in Google Play Services (com.google.android.gms)

What we found: Google Play Services requests 37+ permissions including ACCESS_BACKGROUND_LOCATION, READ_SMS, CAMERA, RECORD_AUDIO, and AD_ID. Your password manager runs inside the same process that serves ads, tracks location, and reads SMS. No other password manager bundles with an advertising SDK.

⚡ highpolicy claims vs regulatory findings
Google has paid $5.6 billion in privacy fines — for tracking you in incognito mode, tracking your location when you said stop, and sharing your data without consent. This is who holds your passwords.

What they claim: Google positions Password Manager as helping users 'stay safe online'

What we found: Google has paid $5.6B+ in privacy-related settlements and fines: $391.5M location tracking (2022), $5B-$7.8B incognito mode (2024), $22.5M FTC Safari cookies (2012), EUR 50M CNIL (2019), EUR 150M CNIL cookies (2022), EUR 325M CNIL (2025). The company storing your passwords has the worst privacy enforcement record in tech.

⚫ mediumpolicy claims vs app permissions
To use Google's password manager, you sign into Chrome — which also syncs your browsing history, autofill data, and extensions. The password manager is the hook that pulls you into full Google surveillance.

What they claim: Google Password Manager works 'seamlessly across devices' via Chrome sync

What we found: Chrome sync ties password management to Google account login. Signing into Chrome to use password management also enables browsing history sync, autofill sync, and extension sync — expanding Google's data collection well beyond passwords. The password manager is a funnel into broader surveillance.

Data Sharing 3/4 HIGH 1 finding
⚠️ criticalpolicy claims vs regulatory findings
The company that makes $265 billion selling ads stores every password you own. Their privacy policy lets them use your data to 'improve services and develop new ones.' Your banking password lives next to their ad targeting engine.

What they claim: Google's privacy policy covers password data under the same terms as all Google services

What we found: Google generated $265B+ in advertising revenue in 2024. Your passwords are stored by the world's largest advertising company under a privacy policy that permits data use for 'improving services' and 'developing new ones.' The structural conflict between ad-funded business model and password security is fundamental.

Security 3/4 HIGH 3 findings
⚠️ criticalpolicy claims vs firmware analysis
Google can read your passwords. By default, your saved passwords are encrypted with keys Google holds. A rogue employee, a government order, or a breach could expose every password you've saved. The 'on-device encryption' toggle exists but almost nobody finds it.

What they claim: Google Password Manager is presented as a secure way to 'save and manage your passwords'

What we found: By default, Google Password Manager uses server-side encryption where Google holds the encryption keys. This means Google can technically read your passwords. 'On-device encryption' is available but opt-in and buried in settings. Most of the 3+ billion Chrome users are on the default setting where Google has access.

⚡ highfirmware analysis vs app permissions
If you open Task Manager and look at Chrome's memory, your passwords are sitting there in plain text. Google said this is 'working as intended.' Any malware that can read process memory gets your passwords for free.

What they claim: Google claims passwords are 'encrypted and protected' in your Google Account

What we found: In July 2024, a Chrome bug locked 15 million users out of their saved passwords for 18 hours. Google classified plaintext credentials visible in Chrome's process memory as 'working as intended' rather than a vulnerability. Passwords are accessible in memory to any process with debugging access.

⚡ highfirmware analysis vs firmware analysis
To check if your passwords have been leaked, Google sends hashed versions of your credentials to their servers. You're trusting the world's largest data collector with partial information about every password you own.

What they claim: Google Password Manager offers a 'Password Checkup' feature to detect breached credentials

What we found: Password Checkup sends hashed credentials to Google servers for comparison against breached databases. While the protocol uses k-anonymity, it still requires trusting Google's implementation. The company simultaneously runs the largest breach-check service and the largest advertising platform.

What happened to real people
Documented incidents involving Google products and user data.
Jorge Molina jailed 6 days for murder via geofence warrant based on Google Sensorvault location data. Lost job, car, reputation. Charges never filed. [source]
PRISM participant since 2009. NSA collects stored communications. FBI conducts warrantless 'backdoor searches' of American data using names and email addresses. [source]
Google received 180 geofence warrants per week by 2019. Each warrant searches tens of millions of accounts. Supreme Court hearing constitutionality (Chatrie v. United States). [source]
What your data is worth to governments
Google complied with 235,000 government data requests in H1 2024. That's +530% over 10 years. Google has been a confirmed PRISM participant since 2009. Under this programme, the NSA collects stored communications. The company is legally prohibited from telling you. Jurisdiction: US (CLOUD Act, FISA Section 702, Patriot Act).
Documented: Jorge Molina jailed 6 days for murder via geofence warrant based on Google Sensorvault location data. Lost job, car, reputation. Charges never filed.
Documented: PRISM participant since 2009. NSA collects stored communications. FBI conducts warrantless 'backdoor searches' of American data using names and email addresses.
What is PRISM? · What is the CLOUD Act? · Transparency report
Sources