Years ago, I managed a campaign for a state house candidate. We’ve stayed in touch, and I was talking with him recently about my first password manager post.

When I finished my harrangue about how too many people don’t use a password manager and, based on a 2024 study, only about one-third of U.S. adults protect the keys to their online data, he told me he uses Google Password Manager, or GPM.

He said it is simple to use, and makes sense for him even though he uses an iPhone and has an Android tablet.

Hmmmm.

Although I have a thing about Google – more later – and no longer use Gmail, Google Docs, or its ubiquitous online search, if somebody I respect as much as I do my friend trusts its password manager, I should take a hard look at it.

Based on my research, GPM may work for you. It’s not right for me, though, because of its feature set and how it handles encryption.

In the previous post, I recommended you observe your online behavior for a week. I asked you to take note of, roughly, the number of times you signed in to a website or app each day.

I asked you to do that because more than half of American adults who do use a password manager, use either GPM or Apple Keychain.

GPM and Apple Keychain are primarily browser-based tools. GPM can be extended to use across an Apple device, but it takes an extra step.

If you only use passwords in a web browser, and don’t need to sign into apps or services in other contexts very often, GPM or Keychain may work for you. They’re straightforward and fairly simple tools with one key differentiator.

GPM can be used throughout the Google and Apple ecosystems, while Keychain is an Apple-only product. You can export Keychain data and load it into an Android device, but it is a cumbersome process, and will not update dynamically as you add new logins.

From a 30,000 foot perspective, if you’re all Apple, all the time, Keychain could work. If you’re not, you can use GPM. There’s far more you should consider, though.

When my friend said GPM made sense for him, his reasoning was hard to argue with. There’s so much bad tech floating around that finding something which works well may be reason enough to stick with it.

Let’s walk through the pros and cons of GPM. Since its usage has ballooned since 2021, it must be doing something right even though it stumbled at least once in 2024.

When researching this article, I used many different resources including Google’s own AI, Gemini 1.5 Flash. I began a chat with it by asking if it was ready to answer some questions about GPM. It returned this:

Absolutely! I’m happy to answer your questions about Google Password Manager. Here’s what I found from some of the best sources on the web:

• What is Google Password Manager? It’s a free password manager solution built into Chrome and all Android apps. It helps you create and save strong, unique passwords for all your online accounts.
• Is Google Password Manager Safe? Yes, Google Password Manager is safe to use. Your passwords are encrypted and stored securely in your Google Account.
• Is Google Password Manager Convenient? Yes, Google Password Manager is very convenient to use. It can automatically fill in your passwords for you, and it can also generate strong passwords for you.

Sounds good, but there’s more to consider than if a tool is convenient. To help, I put some key considerations into a table I’ll refer to as we review the most widely used password managers in subsequent posts:

	Google Password Manager
Cost	Free
Open Source	No
Multiple Operating Systems	Yes
Secure Password Sharing	Yes, but only with Family Group
Organization Tools (folders)	No
Autofill in Advanced Scenarios	Yes. Requires set up on Apple devices
Secure File Storage	No
Customized Password Policies	No
Emergency Access	No
Family Plans	Yes
Password History	No
Password Recovery	No
Security Audits, Insights	Yes
Advanced Authentication	No
Two-factor Authentication	No
On-device Encryption	Yes, but not by default

The last one – encryption – is a major issue and something you must consider when thinking about how to manage your sensitive data online.

Encryption is important because, when you retrieve login credentials from a password manager, that request often travels over the public internet where it could be intercepted. Encryption scrambles the information so only a device with the proper key can unscramble the data. Without the key, it’s gibberish.

When preparing this article, I asked Gemini what level of encryption GPM uses. Gemini responded:

GPM uses AES-256 encryption to protect your stored passwords.

• AES-256 is considered a very strong and widely-used encryption standard.

This means your passwords are scrambled into an unreadable format before being stored on Google’s servers.

Important Note: While strong encryption is a crucial security measure, it’s essential to remember that GPM relies on Google’s infrastructure. This means Google has access to your encrypted data.

Excuse me, what? 

I asked several times many different ways for a link to an article which said “Google has access to your encrypted data.” I never found one no matter which resource I used. 

Was it an AI hallucination?

I don’t think so. Google’s own account help center clarified. 

Effectively, Google acts like a bank where your safety deposit box is housed. In the same way you must prove your identify before a banker unlocks a safety deposit box, Google verifies the user requesting the data, then sends the encrypted info. It holds onto, or, “has access to your encrypted data.”

That does work, and isn’t optimal. The more secure approach is to use on-device encryption. According to Google:

“…you lock up your passwords or passkeys with Google Password Manager, but you take the key with you instead. This means that only you can see your data.”

On-device encryption should be on by default. If you know why Google requires an extra step to enable it, please let me know.

GPM works pretty well. If you use it, you should enable on-device encryption. Once that is done, it can meet the password management needs for many people.

I don’t recommend GPM because:

1. You can’t share passwords with any person outside your six-member family group. In a business setting, it is impractical and limiting.
2. While you can add notes to passwords, you’re unable to save secure note docs. I use a secure note in my password manager to store my parents’ username and passwords. It’s a key component.
3. GPM is all short-term memory. If you generate a new password but the system you’re trying to access doesn’t recognize it and requires you to sign in again, you’re sunk. This has happened to me more than once usually when sites don’t disclose character limits on new passwords.
4. The lack of emergency access is a serious gap. In a crisis, the ability of a trusted loved one to access your medical and banking accounts may be crucial. If those credentials are stored in GPM and the master password was not shared, you’d be out of luck.
5. GPM is not open source. You have to trust Google when it says the data is end-to-end encrypted because it hasn’t “published a technical description of its encryption architecture.”

For me, that’s too many red flags to advocate you use GPM when better options are available. I’ll take a look at three of them in the next post.

How did I do with this explanation? Was it easy to follow, or did I gloss over something I should have explained better?

All feedback is welcome either in the comments here or by email.