Blog / Security & Automation

How to Bulk Delete Google Password Manager Passwords from Your Browser with a Console Script

If you have passwords saved in Google Password Manager — or any browser — they are one of the first things a hacker, a malicious browser extension, or an infostealer virus will go after. Here is why browser-stored passwords are a structural security risk, how to delete every saved Google password at once with a short console script, and how to set up a password manager that actually keeps you safe.

Brendan Andrew Chase

Brendan Andrew Chase

June 14, 2026  ·  8 min read  ·  Security & Automation

In This Article

  1. 1. Why Browser-Saved Passwords Are a Security Risk
  2. 2. The Attack Chain: How Hackers Steal Browser Passwords
  3. 3. Before You Start
  4. 4. The Bulk-Delete Script
  5. 5. How to Run It Step by Step
  6. 6. What to Expect While It Runs
  7. 7. Setting Up Your New Password Manager
  8. 8. Frequently Asked Questions

Why Browser-Saved Passwords Are a Security Risk

Google Password Manager is convenient. It pops up, offers to save your password, and fills it in next time. But if you have moved to a dedicated password manager like Bitwarden or 1Password, Google's built-in password storage quickly becomes a liability — and not just because it gets in the way.

The real problem is structural. Passwords saved in your browser are stored in a local database on your computer. They are encrypted at rest, but they decrypt automatically when you are logged into your operating system user account. This means any program running as you — any application, any browser extension, any script — operates in the same security context that can access those passwords.

A dedicated password manager is different. Your vault is encrypted behind a master password that you — and only you — know. Even if malware is running on your machine, it cannot decrypt the vault without that master password. The attack surface is one authentication prompt, not your entire OS login session.

Google Password Manager, by contrast, is tied to your Google account — which is probably the most valuable account you own and one of the most targeted. If someone gets into your Google account, they get every password you ever let Chrome save. There is no second factor between your Google login and your password vault.

Browser password storage is not a password manager

It is a convenience feature built into a web browser. It was never designed to be a secure credential vault. Treating it like one is the digital equivalent of writing your passwords on a sticky note attached to your monitor — except the sticky note is also synced to the cloud and accessible to every extension you install.

The Attack Chain: How Hackers Steal Browser Passwords

When a hacker, a piece of malware, or a malicious browser extension compromises your machine, browser-stored passwords are one of the first things they go after. It is not a theoretical risk — it is a well-documented, high-priority target in practically every infostealer campaign active today.

1. Malicious browser extensions

A browser extension with the right permissions can read form fields, intercept autofill data, and access cookies. Extensions that request broad permissions like "Read and change all your data on all websites" can silently harvest credentials as you type them or as the browser fills them in. Google's extension review process catches obvious malware, but sophisticated attackers slip through — and extensions that start legitimate can be sold, hijacked, or updated with malicious code after they have already built a user base.

Once an extension has your cookies, it can impersonate your logged-in sessions on other devices. Once it has your saved passwords, it can export them in bulk. Browser password storage hands both of these to an extension in the same place.

2. Infostealer malware

Infostealers are a category of malware purpose-built to extract saved credentials, cookies, and session tokens from browsers. RedLine, Vidar, Raccoon, and Lumma are names that appear in security incident reports constantly. They target Chromium-based browsers specifically because Chrome's password storage format is well-understood and the decryption key is derivable from the logged-in user's OS session.

The typical infostealer execution takes under 30 seconds. It runs, grabs the browser's password database and cookie store, decrypts what it can, and exfiltrates the whole lot to a command-and-control server. The user notices nothing. The attacker now has every password Chrome ever saved, plus active session cookies that let them log into accounts without even needing the password.

3. Cookie theft → password extraction

Session cookies are the keys to your logged-in accounts. If an attacker steals your cookies, they can browse as you — access your email, your bank, your admin panels — without ever touching a password. But cookies expire. Passwords do not. So after stealing cookies, the attacker's next move is to extract every saved password from the browser. That gives them persistent access. Even after you change your Google password and invalidate sessions, if they already exported your password database, they have credentials for every other service you saved.

This is the attack chain: cookie theft gets them in the door today. Password extraction keeps them in the building forever. Browser password storage bundles both assets in one location, protected by the same weak barrier — your OS login session.

This is not rare

Infostealer logs containing browser-stored passwords are sold in bulk on darknet markets. A single infected machine can yield credentials for dozens of services. The buyer does not need to be sophisticated — they just need to know where to shop. Deleting your browser-saved passwords removes you from this pipeline entirely.

The fix is simple: do not store passwords in your browser. Move them to a dedicated password manager that encrypts its vault behind a master password the browser cannot access, then delete everything Google Password Manager has saved. Google does not give you a "delete all" button — which is where the console script below comes in.

Before You Start

Make sure your real password manager is set up and working first. Export or migrate anything you still need from Google Password Manager before you start deleting. The script below removes passwords permanently from Google; there is no undo.

You will also need to be signed into the Google account whose passwords you want to delete. Open https://passwords.google.com/ in a desktop browser. The script will not work on mobile.

The Bulk-Delete Script

This script opens each saved password one at a time, clicks the Delete button, confirms the dialog, and then moves to the next one. It waits a couple of seconds between actions so the page has time to load and so it does not look completely robotic to Google's abuse filters.

// Paste this into the browser console on https://passwords.google.com/

(async () => {
  const wait = ms => new Promise(r => setTimeout(r, ms));

  async function waitFor(selector, timeout = 6000) {
    const start = Date.now();
    while (Date.now() - start < timeout) {
      const el = document.querySelector(selector);
      if (el) return el;
      await wait(200);
    }
    return null;
  }

  function findDeleteBtn() {
    return Array.from(document.querySelectorAll('button')).find(b =>
      b.querySelector('[jsname="V67aGc"]')?.textContent?.trim() === 'Delete'
    );
  }

  let deleted = 0;

  async function deleteNext() {
    await wait(1500);

    const link = document.querySelector('li[jsname="Sf4MPd"] a');
    if (!link) { console.log(`✅ Done! Deleted ${deleted}`); return; }

    link.click();
    await wait(1500);

    // Wait for Delete button on detail page
    let deleteBtn;
    const t = Date.now();
    while (!deleteBtn && Date.now() - t < 6000) {
      deleteBtn = findDeleteBtn();
      await wait(300);
    }
    if (!deleteBtn) { console.warn('⚠️ No Delete button. Stopping.'); return; }

    deleteBtn.click();

    // Wait for the dialog, then click confirm inside it
    const dialog = await waitFor('[role="dialog"]', 4000);
    if (!dialog) { console.warn('⚠️ No dialog. Stopping.'); return; }

    await wait(500);
    const confirmBtn = dialog.querySelector('[data-mdc-dialog-action="ok"]');
    if (!confirmBtn) { console.warn('⚠️ No confirm button. Stopping.'); return; }

    confirmBtn.click();
    deleted++;
    console.log(`Deleted #${deleted}`);
    await wait(2000);
    await deleteNext();
  }

  console.log('🚀 Starting...');
  await deleteNext();
})();

Only run scripts you understand

This script clicks delete buttons on your behalf. Read it before you paste it. It only operates on the Google Passwords page and does not send data anywhere else, but you should never paste random code into your console without checking what it does.

How to Run It Step by Step

1

Open Google Passwords and sign in

Go to https://passwords.google.com/. If you are not already signed in, sign in now. Then delete one password manually. Google will ask you to re-authenticate. Complete that step, then go back to the list view where you can see all your individual passwords.

2

Open the browser console

Press Shift + F12 or Ctrl + Shift + I on Windows. On Mac, use Cmd + Option + I. Click the Console tab if it is not already open.

3

Paste the script and press Enter

Copy the script above, paste it into the console, and press Enter. You will see "🚀 Starting..." in the console, followed by "Deleted #1", "Deleted #2", and so on.

4

Let it run in the background

The script deletes one password at a time with built-in delays. You can do something else while it runs. Do not close the tab or refresh the page.

What to Expect While It Runs

Google will notice the repeated deletion pattern and will probably treat it as suspicious activity. Every 15 to 70 seconds or so, the page may stop and ask you to sign in again. This is normal. When the prompt appears, sign in, go back to the password list, and the script will continue from where it left off as long as the page has not been refreshed.

If the script stops completely, check the console for a warning like "No Delete button" or "No dialog." That usually means the page layout changed or a re-auth prompt appeared. In that case, sign in again, return to the list, and re-run the script. It will skip already-deleted passwords and pick up from the next one in the list.

The total time depends on how many passwords you have saved. A few hundred passwords can take 20 to 40 minutes because of the delays and re-auth interruptions.

Setting Up Your New Password Manager

Once Google Password Manager is empty, turn it off in your Google account settings so it does not start saving passwords again. Then make sure your new password manager is set as the default in your browser. In Chrome, go to Settings → Autofill and passwords → Google Password Manager and toggle off both "Offer to save passwords" and "Auto sign-in."

The most important password you will ever create is the master password for your password manager. Make it long, memorable, and something you will never forget. As long as you remember that one password, you do not need to remember anything else.

I make my master passwords over 30 characters long, with numbers, letters, and symbols. A 15-character password that mixes character types can now be cracked by a quantum computer in days. A 30+ character passphrase or random string is a completely different category of security — we are talking centuries, not days, even with optimistic projections for quantum speedup.

A simple rule for master password length

Use the longest password you can reliably remember and type. For most people, a five- or six-word passphrase with a few numbers and symbols thrown in is both strong and usable. Do not reuse it anywhere else, and do not store it in the password manager it unlocks. Write it down once on paper and put it somewhere safe — a fireproof safe or a safety deposit box. You are protecting against digital theft, not someone breaking into your house.

Even with a strong master password, the weakest link is usually phishing. You only have to worry about one thing: people giving away their passwords when they should not. That happens when someone signs into a service that turns out to be fake. A password manager helps here too, because it will not autofill your credentials on a domain that does not match the real site — it is phishing-resistant by design.

Frequently Asked Questions

Is this script safe to use?

The script is safe in the sense that it only clicks buttons on the Google Passwords page and does not send your data anywhere. However, it permanently deletes passwords. Read it before you run it, make sure you have backups of any passwords you still need, and only paste console scripts from sources you trust.

Can a malicious browser extension really steal my saved passwords?

Yes. Extensions that request broad permissions like "Read and change all your data on all websites" can intercept autofill data, read form fields, and access cookies. A compromised extension — or one that was sold to a malicious actor after building a user base — can silently harvest credentials as the browser fills them in. This is not hypothetical; it has happened multiple times with extensions that had tens of thousands of users before the malicious update was discovered. Deleting browser-saved passwords removes the data an extension can steal.

What is an infostealer and why does it target browser passwords?

An infostealer is malware designed to extract saved credentials, cookies, and session tokens from browsers. Common variants like RedLine, Vidar, Raccoon, and Lumma target Chromium-based browsers because Chrome's password storage format is well-documented and the decryption key is accessible from the logged-in user's OS session. A typical infostealer runs in under 30 seconds, decrypts the password database and cookie store, and exfiltrates everything to a remote server. The user sees nothing. The attacker gets every password Chrome ever saved plus active session cookies that let them log in without a password at all.

Why do I have to keep signing in while the script runs?

Google sees rapid, repeated deletion of saved passwords as unusual activity. It is a security feature, not a bug. Sign in again when prompted and the script will continue. If the page refreshes, you may need to paste the script again.

Can I recover passwords after deleting them?

No. Once a password is deleted from Google Password Manager, it is gone. Export or migrate anything you need before you start. Most dedicated password managers can import a Google Password Manager CSV export if you prefer to migrate rather than delete.

Will this work on mobile?

No. You need a desktop browser with access to the developer console. The Google Passwords mobile interface does not expose the same elements and does not allow console access.

How do I stop Google Chrome from saving passwords again?

In Chrome, go to Settings → Autofill and passwords → Google Password Manager, and turn off the "Offer to save passwords" and "Auto sign-in" options. Set your new password manager as the default autofill provider in your browser so it takes priority. Also consider disabling the built-in password manager entirely via Chrome's policies if you are managing multiple devices.

Brendan Andrew Chase

Written by

Brendan Andrew Chase

Founder of Extra Large Marketing Digital. Writes about automation, security, and the practical tools that make running a business less frustrating.