Chrome stores an irreversible fingerprint of users’ passwords on the local disk. Usernames and passwords aren't sent to Google or shared with third-party providers.
How are passwords detected and stored?
When users sign in to specific sign-in pages, Chrome generates a password fingerprint. Using scrypt, Chrome hashes the password and shortens it to 37 bits, which is enough to identify the password if it’s reused on dangerous or disallowed websites. Chrome then encrypts the partial hash using the OS-level username, if available.
What information is stored?
Keystrokes are not stored. The following data is stored locally on users’ devices:
- An encrypted 37-bit partial hash of the password
- Length of the password
- Date and time that the password was last successfully used
- User account email address
If the Chrome Reporting Extension is installed and Chrome detects password reuse, the following data can be stored to local disk:
- URL of the page where user entered their password
- Date and time of the alert
- A flag indicating if Safe Browsing classifies the site as unsafe