Mailing List Archive

That's wrong, you CAN turn it off. I believe it's encrypted between Google
and your Chrome browser, it says so but I haven't confirmed this myself.

Chrome Settings, Password, disable "Offer to save passwords"

Josh Luthman
24/7 Help Desk: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373


On Fri, Jun 11, 2021 at 12:03 PM William Herrin <bill@herrin.us> wrote:

> Howdy,
>
> My gmail account prompted me today to change a compromised password.
> It wasn't compromised; it was an offline system where I intentionally
> used a generic password. But in the process...
>
> It turns out that every password I allowed Chrome on Android to
> remember, it uploaded to Google. In plain text!! And it could prove it
> by displaying the plain text passwords for me on my laptop. And I
> can't turn the upload off!
>
> To the google folks on here: Are you INSANE!?
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin
> bill@herrin.us
> https://bill.herrin.us/
>

On Fri, Jun 11, 2021 at 9:06 AM Josh Luthman
<josh@imaginenetworksllc.com> wrote:
> That's wrong, you CAN turn it off. I believe it's encrypted between Google and your Chrome browser, it says so but I haven't confirmed this myself.

Chrome can be configured to not remember passwords at all (makes a
browser pretty useless), but it won't keep them only on the local
device. If allowed to remember passwords, it uploads them to Google.
No knob to turn sync off.

-Bill

--
William Herrin
bill@herrin.us
https://bill.herrin.us/

On Fri, Jun 11, 2021 at 9:16 AM Matthias Merkel
<matthias.merkel@staclar.com> wrote:
> On mobile: Chrome Settings -> Sync -> Uncheck Sync All -> Uncheck Passwords

This works. Thank you.

Still, on by default? How many billions of passwords does google now
have stored with reversible encryption?

Regards,
Bill Herrin



--
William Herrin
bill@herrin.us
https://bill.herrin.us/

Disable "auto sign-in" and "Save and fill addresses" and there's more for
payment methods, too.

Josh Luthman
24/7 Help Desk: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373


On Fri, Jun 11, 2021 at 12:12 PM William Herrin <bill@herrin.us> wrote:

> On Fri, Jun 11, 2021 at 9:06 AM Josh Luthman
> <josh@imaginenetworksllc.com> wrote:
> > That's wrong, you CAN turn it off. I believe it's encrypted between
> Google and your Chrome browser, it says so but I haven't confirmed this
> myself.
>
> Chrome can be configured to not remember passwords at all (makes a
> browser pretty useless), but it won't keep them only on the local
> device. If allowed to remember passwords, it uploads them to Google.
> No knob to turn sync off.
>
> -Bill
>
> --
> William Herrin
> bill@herrin.us
> https://bill.herrin.us/
>

    Hi,

    I use Firefox and saved its profile inside a VeraCrypt disk, inside
a Bitlocked disk, inside a Surface3 used only for that purpose =D.
    ( Yeah that include a few physical MFA device and Shutdown instead
of Sleeping, and yadi yada )

    So GL with Chrome =D.

-----
Alain Hebert ahebert@pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443

On 6/11/21 12:12 PM, William Herrin wrote:
> On Fri, Jun 11, 2021 at 9:06 AM Josh Luthman
> <josh@imaginenetworksllc.com> wrote:
>> That's wrong, you CAN turn it off. I believe it's encrypted between Google and your Chrome browser, it says so but I haven't confirmed this myself.
> Chrome can be configured to not remember passwords at all (makes a
> browser pretty useless), but it won't keep them only on the local
> device. If allowed to remember passwords, it uploads them to Google.
> No knob to turn sync off.
>
> -Bill
>

William Herrin <bill@herrin.us> wrote:

> It turns out that every password I allowed Chrome on Android to
> remember, it uploaded to Google. In plain text!!

Chrome does not store your passwords in plain text.
It encrypts them locally, on e.g. macOS using, I
think, a secret stored in the keychain under "Chrome
Safe Storage", on Windows using a similar API and
secret probably unlocked via your login credentials.

If you use your favorite internet search engine to
look for "how does Chrome store passwords", you'll
find the local sqlite file and more detailed
explanations.

-Jan

Google stores encrypted passwords. By default it uses your own Google
Account password as part of the key to decrypt your other synced passwords.
But you can change that and use a custom "sync passphrase".

Once you're logged in your device can decrypt your passwords and compare
them against databases of known compromised passwords.

Google does not have access to your plain-text passwords in either case.

More info:
https://support.google.com/accounts/answer/6208650
https://security.googleblog.com/2020/10/new-password-protections-and-more-in.html

Regards,
César

On Fri, Jun 11, 2021 at 1:05 PM William Herrin <bill@herrin.us> wrote:

> Howdy,
>
> My gmail account prompted me today to change a compromised password.
> It wasn't compromised; it was an offline system where I intentionally
> used a generic password. But in the process...
>
> It turns out that every password I allowed Chrome on Android to
> remember, it uploaded to Google. In plain text!! And it could prove it
> by displaying the plain text passwords for me on my laptop. And I
> can't turn the upload off!
>
> To the google folks on here: Are you INSANE!?
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin
> bill@herrin.us
> https://bill.herrin.us/
>

On Fri, Jun 11, 2021 at 9:38 AM Jan Schaumann via NANOG <nanog@nanog.org> wrote:
> William Herrin <bill@herrin.us> wrote:
> > It turns out that every password I allowed Chrome on Android to
> > remember, it uploaded to Google. In plain text!!
>
> Chrome does not store your passwords in plain text.
> It encrypts them locally, on e.g. macOS using, I
> think, a secret stored in the keychain under "Chrome
> Safe Storage", on Windows using a similar API and
> secret probably unlocked via your login credentials.

Hi Jan,

I'm fine with Chrome encrypting them locally. That's what I want it to
do. I'm not at all fine with it uploading them to my Google account. I
don't want any trace of my non-google passwords present in my google
account. I'm very very not fine that it happened behind my back
without my express consent.

Regards,
Bill Herrin


--
William Herrin
bill@herrin.us
https://bill.herrin.us/

On Fri, Jun 11, 2021 at 9:42 AM César de Tassis Filho
<ctassisf@gmail.com> wrote:
> Google does not have access to your plain-text passwords in either case.

If they can display the plain text passwords to me on my screen in a
non-Google web browser then they have access to my plain text
passwords. Everything else is semantics.

Regards,
Bill Herrin


--
William Herrin
bill@herrin.us
https://bill.herrin.us/

It appears that William Herrin <bill@herrin.us> said:
>On Fri, Jun 11, 2021 at 9:42 AM César de Tassis Filho
><ctassisf@gmail.com> wrote:
>> Google does not have access to your plain-text passwords in either case.
>
>If they can display the plain text passwords to me on my screen in a
>non-Google web browser then they have access to my plain text
>passwords. Everything else is semantics.

I tried it in Firefox. I can log into my Google account with my Google password
and see the saved passwords but unless Firefox is doing some impressively
sophisticated content snooping, it can't do anything with them.

--
Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

[sorry meant to send this to the list]

Isn't that what lots of password managers do? I understand that one of them
syncs point to point, but that has the downside that it probably needs to
be on the same subnet.

The actual problem here is that sites only allow a single password. if you
could enroll more than one password you wouldn't need to sync at all.
Better: use asymmetric keys and enroll public keys so the secret never
leaves your device.

Mike

On Fri, Jun 11, 2021 at 9:53 AM William Herrin <bill@herrin.us> wrote:

> On Fri, Jun 11, 2021 at 9:42 AM César de Tassis Filho
> <ctassisf@gmail.com> wrote:
> > Google does not have access to your plain-text passwords in either case.
>
> If they can display the plain text passwords to me on my screen in a
> non-Google web browser then they have access to my plain text
> passwords. Everything else is semantics.
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin
> bill@herrin.us
> https://bill.herrin.us/
>

I think you have only found the tip of the iceberg of things that Chrome
and Google does without your express consent.

On Fri, Jun 11, 2021 at 9:48 AM William Herrin <bill@herrin.us> wrote:

> On Fri, Jun 11, 2021 at 9:38 AM Jan Schaumann via NANOG <nanog@nanog.org>
> wrote:
> > William Herrin <bill@herrin.us> wrote:
> > > It turns out that every password I allowed Chrome on Android to
> > > remember, it uploaded to Google. In plain text!!
> >
> > Chrome does not store your passwords in plain text.
> > It encrypts them locally, on e.g. macOS using, I
> > think, a secret stored in the keychain under "Chrome
> > Safe Storage", on Windows using a similar API and
> > secret probably unlocked via your login credentials.
>
> Hi Jan,
>
> I'm fine with Chrome encrypting them locally. That's what I want it to
> do. I'm not at all fine with it uploading them to my Google account. I
> don't want any trace of my non-google passwords present in my google
> account. I'm very very not fine that it happened behind my back
> without my express consent.
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin
> bill@herrin.us
> https://bill.herrin.us/
>

On Fri, Jun 11, 2021 at 10:27 AM Michael Thomas <mike@mtcc.com> wrote:
> Isn't that what lots of password managers do? I understand that one of them syncs point to point, but that has the downside that it probably needs to be on the same subnet.

It's exactly what lots of password managers with browser extensions
do. I don't personally use them because I don't want my passwords
reversibly stored on a computer that I don't directly control. I have
no great philosophical problem with their existence and use by those
who want them, I just don't want them for myself.

My problem was suddenly finding Google in possession of passwords I
never intentionally allowed it to have. This sneak around behind my
back stuff means I wasn't in control of my passwords.

Regards,
Bill Herrin


--
William Herrin
bill@herrin.us
https://bill.herrin.us/

On Fri, 11 Jun 2021, William Herrin wrote:

> On Fri, Jun 11, 2021 at 9:42 AM César de Tassis Filho
> <ctassisf@gmail.com> wrote:
>> Google does not have access to your plain-text passwords in either case.
>
> If they can display the plain text passwords to me on my screen in a
> non-Google web browser then they have access to my plain text
> passwords. Everything else is semantics.

Untrue. If you have a key on your computer, such as was mentioned that
the Google key may be stored locally in the MacOS Keychain, and you unlock
your MacOS Keychain with your local laptop login password, which is also
stored on an encrypted disk volume, that does not mean those passwords
have left your computer in plain text, or that Google has this key that
lives in your keychain.

I agree, if they do, that's terrible. But I haven't seen any evidence that
they do.

You can have multiple keys to encrypted data, and it is still stored in a
cryptographically secure way, assuming it is implemented well, despite
those multiple keys having the ability to decrypt your data.

I use 1Password. There are multiple keys that can unlock the other key
that can unlock my encrypted data. But just because I can see my passwords
in the app, and that there is a mechanism/code that can do the same
without the 1Password app to unlock and view my data, this does not mean
that 1Password has my keys, nor access to all my passwords.

Beckman
---------------------------------------------------------------------------
Peter Beckman Internet Guy
beckman@angryox.com http://www.angryox.com/
---------------------------------------------------------------------------

---------- Forwarded message ---------
From: William Herrin <bill@herrin.us>
Date: Fri, 11 Jun 2021, 17:04
Subject: Google uploading your plain text passwords
To: nanog@nanog.org <nanog@nanog.org>


Howdy,

My gmail account prompted me today to change a compromised password.
It wasn't compromised; it was an offline system where I intentionally
used a generic password. But in the process...

It turns out that every password I allowed Chrome on Android to
remember, it uploaded to Google. In plain text!! And it could prove it
by displaying the plain text passwords for me on my laptop. And I
can't turn the upload off!

To the google folks on here: Are you INSANE!?

Regards,
Bill Herrin


--
William Herrin
bill@herrin.us
All
https://bill.herrin.us/to beaa

On Fri, Jun 11, 2021 at 12:32 PM Peter Beckman <beckman@angryox.com> wrote:

> On Fri, 11 Jun 2021, William Herrin wrote:
>
> > On Fri, Jun 11, 2021 at 9:42 AM César de Tassis Filho
> > <ctassisf@gmail.com> wrote:
> >> Google does not have access to your plain-text passwords in either case.
> >
> > If they can display the plain text passwords to me on my screen in a
> > non-Google web browser then they have access to my plain text
> > passwords. Everything else is semantics.
>
> Untrue. If you have a key on your computer, such as was mentioned that
> the Google key may be stored locally in the MacOS Keychain, and you
> unlock
> your MacOS Keychain with your local laptop login password, which is also
> stored on an encrypted disk volume, that does not mean those passwords
> have left your computer in plain text, or that Google has this key that
> lives in your keychain.
>
> I agree, if they do, that's terrible. But I haven't seen any evidence
> that
> they do.
>

However, if the password is entered on one device (Android device, for
example,
as mentioned in the original post), and then is visible in clear-text on a
different
browser on a different device (laptop, for example, again, from the
original post),
then clearly the password has left the original device in a form which is
reversible
to the original clear text. You can argue that it may be stored "in the
cloud" in
encrypted form; but it's clearly being stored in a manner which can be
reversed
to gain access to the original clear text, and using a key which is known
to both
devices involved, and to the cloud system validating that authentication.

This isn't about seeing the passwords in clear text on the same device
upon which they were entered; this is about a *separate* device having
visible access to the clear text of a password that was not entered via
that device.

If the laptop had required Bill to enter a decryption key first in order to
see the clear text, and that decryption key was one he had manually
configured on both devices, stored only locally on each device, then
you might be able to argue that the cloud never has visibility into the
passwords; but if the keys are encrypted using a gmail login credential,
which is itself stored and verified within the same cloud environment as
the encrypted password strings it is protecting, then your two factor
security has collapsed back down into a single point of compromise;
compromise the google password, and you have access to all the
passwords that were uploaded and stored in the system unbeknownst
to the user.

That's the part that would leave me concerned.
Having my email password compromised?
That's a bit of a "meh" moment.
Suddenly discovering that one password now gave access to
potentially all my financial accounts as well?
That's a wake up in the night with cold sweats moment. :(

Matt

Google uses your Google Account's password to encrypt passwords synced to
the cloud. That is why passwords saved on Android and synced to the cloud
can be read elsewhere (including passwords.google.com).

As I mentioned before, if you want to avoid this behavior Google offers you
a way to use a different sync passphrase (which inhibits access to
passwords.google.com and also disables other features). Instructions here:
https://support.google.com/chrome/answer/165139#passphrase

César

On Fri, Jun 11, 2021 at 4:50 PM Matthew Petach <mpetach@netflight.com>
wrote:

>
>
> On Fri, Jun 11, 2021 at 12:32 PM Peter Beckman <beckman@angryox.com>
> wrote:
>
>> On Fri, 11 Jun 2021, William Herrin wrote:
>>
>> > On Fri, Jun 11, 2021 at 9:42 AM César de Tassis Filho
>> > <ctassisf@gmail.com> wrote:
>> >> Google does not have access to your plain-text passwords in either
>> case.
>> >
>> > If they can display the plain text passwords to me on my screen in a
>> > non-Google web browser then they have access to my plain text
>> > passwords. Everything else is semantics.
>>
>> Untrue. If you have a key on your computer, such as was mentioned that
>> the Google key may be stored locally in the MacOS Keychain, and you
>> unlock
>> your MacOS Keychain with your local laptop login password, which is also
>> stored on an encrypted disk volume, that does not mean those passwords
>> have left your computer in plain text, or that Google has this key that
>> lives in your keychain.
>>
>> I agree, if they do, that's terrible. But I haven't seen any evidence
>> that
>> they do.
>>
>
> However, if the password is entered on one device (Android device, for
> example,
> as mentioned in the original post), and then is visible in clear-text on a
> different
> browser on a different device (laptop, for example, again, from the
> original post),
> then clearly the password has left the original device in a form which is
> reversible
> to the original clear text. You can argue that it may be stored "in the
> cloud" in
> encrypted form; but it's clearly being stored in a manner which can be
> reversed
> to gain access to the original clear text, and using a key which is known
> to both
> devices involved, and to the cloud system validating that authentication.
>
> This isn't about seeing the passwords in clear text on the same device
> upon which they were entered; this is about a *separate* device having
> visible access to the clear text of a password that was not entered via
> that device.
>
> If the laptop had required Bill to enter a decryption key first in order
> to
> see the clear text, and that decryption key was one he had manually
> configured on both devices, stored only locally on each device, then
> you might be able to argue that the cloud never has visibility into the
> passwords; but if the keys are encrypted using a gmail login credential,
> which is itself stored and verified within the same cloud environment as
> the encrypted password strings it is protecting, then your two factor
> security has collapsed back down into a single point of compromise;
> compromise the google password, and you have access to all the
> passwords that were uploaded and stored in the system unbeknownst
> to the user.
>
> That's the part that would leave me concerned.
> Having my email password compromised?
> That's a bit of a "meh" moment.
> Suddenly discovering that one password now gave access to
> potentially all my financial accounts as well?
> That's a wake up in the night with cold sweats moment. :(
>
> Matt
>
>

On Fri, Jun 11, 2021 at 12:01 PM William Herrin <bill@herrin.us> wrote:

> On Fri, Jun 11, 2021 at 10:27 AM Michael Thomas <mike@mtcc.com> wrote:
> > Isn't that what lots of password managers do? I understand that one of
> them syncs point to point, but that has the downside that it probably needs
> to be on the same subnet.
>
> It's exactly what lots of password managers with browser extensions
> do. I don't personally use them because I don't want my passwords
> reversibly stored on a computer that I don't directly control. I have
> no great philosophical problem with their existence and use by those
> who want them, I just don't want them for myself.
>

Well, browser extensions in and of themselves scare the living hell out of
me. It really surprises me that they aren't a major attack vector and in
the news all of the time.

But yes, I agree that even encrypted they are a *very* tempting target for
hackers, and especially foreign governments. A breach would mean that
everybody is instantly screwed since they don't have to break into
individual computers, install malware, etc.

Mike

On Fri, Jun 11, 2021 at 1:05 PM César de Tassis Filho
<ctassisf@gmail.com> wrote:
> Google uses your Google Account's password to encrypt passwords synced to the cloud. That is why passwords saved on Android and synced to the cloud can be read elsewhere (including passwords.google.com).
>
> As I mentioned before, if you want to avoid this behavior Google offers you a way to use a different sync passphrase (which inhibits access to passwords.google.com and also disables other features). Instructions here: https://support.google.com/chrome/answer/165139#passphrase

Hi César ,

This would be fine had I intended this behavior. That it magically
happened because I told my phone it could sync my gmail is very very
disturbing.

Regards,
Bill Herrin

--
William Herrin
bill@herrin.us
https://bill.herrin.us/

On Fri, Jun 11, 2021 at 12:48 PM Matthew Petach <mpetach@netflight.com>
wrote:

>
> That's the part that would leave me concerned.
> Having my email password compromised?
> That's a bit of a "meh" moment.
> Suddenly discovering that one password now gave access to
> potentially all my financial accounts as well?
> That's a wake up in the night with cold sweats moment. :(
>

Just a note about security threat modeling: your email password can
generally be used to reset all your other passwords, so actually having
your email password compromised is one of the most terrifying situations of
all. Unless, of course, you use a security key with gmail, in which case
compromise of your password may not get the attacker very far. ;)

The Chrome password manager is convenient, and the sync can be incredibly
handy (I can sign into stuff on different computers or even my phone
without needing to copy over the passwords), but you might consider leaving
your highest-value passwords out of that system, or really any system.
Personally, my financial passwords are not known by Chrome, myself, or even
my password manager. (Yes, you heard that right -- no single entity knows
the passwords. How? By using a simple secret-splitting scheme -- I
memorize part of the password, and my password manager stores the rest.)

Damian

On Fri, Jun 11, 2021 at 12:51 PM Matthew Petach <mpetach@netflight.com>
wrote:

>
> Having my email password compromised?
> That's a bit of a "meh" moment.
> Suddenly discovering that one password now gave access to
> potentially all my financial accounts as well?
> That's a wake up in the night with cold sweats moment. :(
>

Thanks for articulating the issue so well.

And glad I saw this discussion because I had no idea that
if my gmail account was compromised all my financial accounts
would become accessible.

The issue is discussed quite nicely here:
https://www.howtogeek.com/174312/can-google-employees-see-my-saved-google-chrome-passwords/

Encryption != plain text, just because it's not a hash doesn't mean it's
problematic (if done correctly). This is the exact same method that every
single password management system uses and all are far better for the
average user than trying to reuse a single password or write them down.

Scott Helms



On Fri, Jun 11, 2021 at 12:53 PM William Herrin <bill@herrin.us> wrote:

> On Fri, Jun 11, 2021 at 9:42 AM César de Tassis Filho
> <ctassisf@gmail.com> wrote:
> > Google does not have access to your plain-text passwords in either case.
>
> If they can display the plain text passwords to me on my screen in a
> non-Google web browser then they have access to my plain text
> passwords. Everything else is semantics.
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin
> bill@herrin.us
> https://bill.herrin.us/
>

On Sat, Jun 12, 2021 at 5:11 AM K. Scott Helms <kscott.helms@gmail.com> wrote:
> Encryption != plain text, just because it's not a hash doesn't mean it's problematic (if done correctly).

Scott, Google's computer is able to compose an html document which
contains my passwords in plain text. Whatever dance they do to either
side of that point in their process, at that point they possess my
passwords in plain text. Why is this concept a mystery to anyone?


> This is the exact same method that every single password management system uses and all are far better for the average user than trying to reuse a single password or write them down.

If I had authorized it, it would indeed be just like any other
password managing web site. I did not knowingly authorize it. They
snuck it on me.

Regards,
Bill Herrin


--
William Herrin
bill@herrin.us
https://bill.herrin.us/

>
> They
> snuck it on me.
>

"I didn't notice this until now" != "They snuck one by the goalie."



On Sat, Jun 12, 2021 at 10:30 AM William Herrin <bill@herrin.us> wrote:

> On Sat, Jun 12, 2021 at 5:11 AM K. Scott Helms <kscott.helms@gmail.com>
> wrote:
> > Encryption != plain text, just because it's not a hash doesn't mean it's
> problematic (if done correctly).
>
> Scott, Google's computer is able to compose an html document which
> contains my passwords in plain text. Whatever dance they do to either
> side of that point in their process, at that point they possess my
> passwords in plain text. Why is this concept a mystery to anyone?
>
>
> > This is the exact same method that every single password management
> system uses and all are far better for the average user than trying to
> reuse a single password or write them down.
>
> If I had authorized it, it would indeed be just like any other
> password managing web site. I did not knowingly authorize it. They
> snuck it on me.
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin
> bill@herrin.us
> https://bill.herrin.us/
>