Google uploading your plain text passwords

• Previous message (by thread): Google uploading your plain text passwords
• Next message (by thread): Google uploading your plain text passwords
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Jun 12, 2021 at 1:21 PM Tom Beecher <beecher at beecher.cc> wrote:

> They
>> snuck it on me.
>>
>
> "I didn't notice this until now" != "They snuck one by the goalie."
>
>
actually, i was wondering while reading this thread...
(I mean this for clarity sake, not in a 'blame the victim' sort of way"

"Did William think that password data, which had to be in plaintext to
auto-fill forms/etc, was
stored on the local device(s) only?"

I suppose some scheme like:
  1) keep local copies in hashed/encrypted store
  2) upload said store to 'cloud' periodically (on change?)
  3) download on new device / clear-all-browser-data events

If the hashed pile of data is 'simply' encrypted with 'gmail/google account
password'
(or that and some token from 'cloud') and decrypted in some form of
javascript functions...

Then only the local browser really knows the content of the hash-file,
right?
NOTE: I have no idea how chrome does it's thing here... but I expect the
code is
visible on chromium.org ? Perhaps even here:

https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/password_manager/


would be a good place to go digging into the code / hows / whys /
where-fores ?



>
>
> On Sat, Jun 12, 2021 at 10:30 AM William Herrin <bill at herrin.us> wrote:
>
>> On Sat, Jun 12, 2021 at 5:11 AM K. Scott Helms <kscott.helms at gmail.com>
>> wrote:
>> > Encryption != plain text, just because it's not a hash doesn't mean
>> it's problematic (if done correctly).
>>
>> Scott, Google's computer is able to compose an html document which
>> contains my passwords in plain text. Whatever dance they do to either
>> side of that point in their process, at that point they possess my
>> passwords in plain text. Why is this concept a mystery to anyone?
>>
>>
>> > This is the exact same method that every single password management
>> system uses and all are far better for the average user than trying to
>> reuse a single password or write them down.
>>
>> If I had authorized it, it would indeed be just like any other
>> password managing web site. I did not knowingly authorize it. They
>> snuck it on me.
>>
>> Regards,
>> Bill Herrin
>>
>>
>> --
>> William Herrin
>> bill at herrin.us
>> https://bill.herrin.us/
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210612/22cd22db/attachment.html>

• Previous message (by thread): Google uploading your plain text passwords
• Next message (by thread): Google uploading your plain text passwords
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]