I /think/ this is working as intended; see  Issue 766092 .

ewald?

ewald thank you. I looked at he  issue 766092 . In my case I lost my laptop and yes my windows password kinda secure and NOT a simple password. However if someone can get thru my windows password then I am basically exposed. So I signed-out from all web sessions from within Gmail and I changed my google password. I still can see that I am vulnerable. How can I make my situation better??

Correct, this is WAI. When you change your Google Password, it puts Chrome into an "auth error" state, which stops sync.

However, that just stops the *syncing* of data between your local Chrome profile and your Google Account (i.e. it breaks the connection between your device & Google's cloud). However, any data that's *already been synced* to that device is part of the local profile. The data isn't tied to your Google Account, and it doesn't get cleared automatically when sync is turned off (or stops working due to an auth error).

@kishore - I'm sorry to hear that you lost your laptop :( It's good to hear that you have a Windows password protecting your laptop. I don't have any other suggestions for remotely wiping your local Chrome data on that device.

Note that even if we did tie the data to your Google Account, it wouldn't provide any security guarantees; the attacker could just disconnect your laptop from the internet as soon as he obtains it, which would prevent Chrome from even seeing that you changed your password and getting an auth error.

Marking as WontFix since this is WAI. Best of luck finding your laptop!

 Issue 792967  has been merged into this issue.

The idea of Working As Intended is NOT appropriate way to handle the situation. Have you thought about other ways to manage the situation. When the browser detects that the password is out of sync why is it still auto completing the passwords tied to an account? Should'nt this feature be disabled acknowledging the fact that the account is now out of sync? What precautions is the browser taking when it detects that the account out of sync? This issue is NOT about me finding my lost laptop. This is a security gap in how Chrome works.

Re #5: An attacker with physical access to your computer and the permission to log into your user account need not bother using Chrome at all. They can simply extract the data directly from the encrypted storage (which is encrypted with your user account's private key) without even launching Chrome.

https://chromium.googlesource.com/chromium/src/+/lkcr/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model

Firefox has a concept of Master Password which helps protect the password file with a key that is NOT generated from your windows password. 

 Issue 808820  has been merged into this issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot