Google uploading your plain text passwords

• Previous message (by thread): Google uploading your plain text passwords
• Next message (by thread): Google uploading your plain text passwords
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Jun 12, 2021 at 1:31 PM Christopher Morrow <morrowc.lists at gmail.com>
wrote:

>
>
> On Sat, Jun 12, 2021 at 1:21 PM Tom Beecher <beecher at beecher.cc> wrote:
>
>> They
>>> snuck it on me.
>>>
>>
>> "I didn't notice this until now" != "They snuck one by the goalie."
>>
>>
> actually, i was wondering while reading this thread...
> (I mean this for clarity sake, not in a 'blame the victim' sort of way"
>
> "Did William think that password data, which had to be in plaintext to
> auto-fill forms/etc, was
> stored on the local device(s) only?"
>
> I suppose some scheme like:
>   1) keep local copies in hashed/encrypted store
>   2) upload said store to 'cloud' periodically (on change?)
>   3) download on new device / clear-all-browser-data events
>
> If the hashed pile of data is 'simply' encrypted with 'gmail/google
> account password'
> (or that and some token from 'cloud') and decrypted in some form of
> javascript functions...
>
> Then only the local browser really knows the content of the hash-file,
> right?
> NOTE: I have no idea how chrome does it's thing here... but I expect the
> code is
> visible on chromium.org ? Perhaps even here:
>
> https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/password_manager/
>
>
> would be a good place to go digging into the code / hows / whys /
> where-fores ?
>
>
The source.chromium site is neat, this query, for instance, finds where '
passwords.google.com' is in the code tree:

https://source.chromium.org/search?q=passwords.google.com&sq=&ss=chromium%2Fchromium%2Fsrc:chrome%2Fbrowser%2Fpassword_manager%2F

as a method to help track down the wherefores...


>
>
>>
>>
>> On Sat, Jun 12, 2021 at 10:30 AM William Herrin <bill at herrin.us> wrote:
>>
>>> On Sat, Jun 12, 2021 at 5:11 AM K. Scott Helms <kscott.helms at gmail.com>
>>> wrote:
>>> > Encryption != plain text, just because it's not a hash doesn't mean
>>> it's problematic (if done correctly).
>>>
>>> Scott, Google's computer is able to compose an html document which
>>> contains my passwords in plain text. Whatever dance they do to either
>>> side of that point in their process, at that point they possess my
>>> passwords in plain text. Why is this concept a mystery to anyone?
>>>
>>>
>>> > This is the exact same method that every single password management
>>> system uses and all are far better for the average user than trying to
>>> reuse a single password or write them down.
>>>
>>> If I had authorized it, it would indeed be just like any other
>>> password managing web site. I did not knowingly authorize it. They
>>> snuck it on me.
>>>
>>> Regards,
>>> Bill Herrin
>>>
>>>
>>> --
>>> William Herrin
>>> bill at herrin.us
>>> https://bill.herrin.us/
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210612/cb15f4fa/attachment.html>

• Previous message (by thread): Google uploading your plain text passwords
• Next message (by thread): Google uploading your plain text passwords
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]