Google uploading your plain text passwords

Matthew Petach mpetach at netflight.com
Fri Jun 11 19:48:10 UTC 2021


On Fri, Jun 11, 2021 at 12:32 PM Peter Beckman <beckman at angryox.com> wrote:

> On Fri, 11 Jun 2021, William Herrin wrote:
>
> > On Fri, Jun 11, 2021 at 9:42 AM César de Tassis Filho
> > <ctassisf at gmail.com> wrote:
> >> Google does not have access to your plain-text passwords in either case.
> >
> > If they can display the plain text passwords to me on my screen in a
> > non-Google web browser then they have access to my plain text
> > passwords. Everything else is semantics.
>
>   Untrue. If you have a key on your computer, such as was mentioned that
>   the Google key may be stored locally in the MacOS Keychain, and you
> unlock
>   your MacOS Keychain with your local laptop login password, which is also
>   stored on an encrypted disk volume, that does not mean those passwords
>   have left your computer in plain text, or that Google has this key that
>   lives in your keychain.
>
>   I agree, if they do, that's terrible. But I haven't seen any evidence
> that
>   they do.
>

However, if the password is entered on one device (Android device, for
example,
as mentioned in the original post), and then is visible in clear-text on a
different
browser on a different device (laptop, for example, again, from the
original post),
then clearly the password has left the original device in a form which is
reversible
to the original clear text.  You can argue that it may be stored "in the
cloud" in
encrypted form; but it's clearly being stored in a manner which can be
reversed
to gain access to the original clear text, and using a key which is known
to both
devices involved, and to the cloud system validating that authentication.

This isn't about seeing the passwords in clear text on the same device
upon which they were entered; this is about a *separate* device having
visible access to the clear text of a password that was not entered via
that device.

If the laptop had required Bill to enter a decryption key first in order to
see the clear text, and that decryption key was one he had manually
configured on both devices, stored only locally on each device, then
you might be able to argue that the cloud never has visibility into the
passwords; but if the keys are encrypted using a gmail login credential,
which is itself stored and verified within the same cloud environment as
the encrypted password strings it is protecting, then your two factor
security has collapsed back down into a single point of compromise;
compromise the google password, and you have access to all the
passwords that were uploaded and stored in the system unbeknownst
to the user.

That's the part that would leave me concerned.
Having my email password compromised?
That's a bit of a "meh" moment.
Suddenly discovering that one password now gave access to
potentially all my financial accounts as well?
That's a wake up in the night with cold sweats moment.  :(

Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210611/7ba7bc52/attachment.html>


More information about the NANOG mailing list