Google Chrome to delete all iOS passwords in one click—but why?
Some security features are easier to understand than others. When Google announced it was deleting some Gmail accounts on security grounds, for example, that made perfect sense. The same can be said of the brilliant new tracker alert security feature for Android users. But when the latest experimental version of the Chrome app for iOS introduces a feature to delete all the passwords from its password vault in one click, to be honest, I’m having to really scratch my head as to the reasoning other than “because we can and Apple can’t.” Here’s what you need to know.
Google Chrome App Will Soon Delete All iOS Passwords In 1 Click
A Google Chrome feature, experimental in nature at the moment as it is present in the canary version of the iOS app, has appeared in the latest version that allows all passwords to be deleted from the Chrome vault in one go. As spotted by the ever-resourceful Rafly Gilang, a technology reporter at MSPowerUser, the feature is an update to the Chrome app’s password manager functionality. Hidden behind the “Enable delete all saved passwords in GPM” flag in Chrome Canary, Gilang said, “when activated, it adds a “delete all” button within the Google Password Manager settings. With one tap, you can permanently remove all passwords, passkeys, and other associated data stored in the manager, just like on the desktop.”
The related commit posting to the Chromium source code forum confirmed that the new code function was “part of the overall effort of supporting delete all passwords” in the Google password manager.
Why Would Google Want You To Delete All Passwords With 1 Click?
The question remains, however, as to why. One option, as Gilang pointed out, is that it “gives Chrome on iOS an edge over Apple’s Safari, which has yet to have this capability.” This is OK as far as it goes, but it doesn’t explain the security thinking behind it. I can see that usability is always a consideration, and if you were moving from one password manager to another, then it would make sense to be able to delete all traces of your old password vault in as few moves as possible, and that would be security positive. Make the option too tricky or non-existent, and maybe people will leave the data there, and that would effectively double the password attack surface, I guess. Arguments have been put forward to suggest that it could also be a security plus if there was a suspected breach of the password database, but that doesn’t wash with me. For one, if it’s been breached, then an attacker already has your data, which will be encrypted anyway, so the nuclear delete option serves no useful purpose. For another, deleting all your account passwords without any kind of backup is beyond nuclear; it verges on the insane.
I have reached out to my contacts at Google for a statement and hopefully I’ll be able to report back soon with the official security thinking behind this.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25636776/VST_0924_Site.jpg)
