Mailing List Archive

1 2  View All
Re: Google uploading your plain text passwords [ In reply to ]
On Sat, Jun 12, 2021 at 1:21 PM Tom Beecher <beecher@beecher.cc> wrote:

> They
>> snuck it on me.
>>
>
> "I didn't notice this until now" != "They snuck one by the goalie."
>
>
actually, i was wondering while reading this thread...
(I mean this for clarity sake, not in a 'blame the victim' sort of way"

"Did William think that password data, which had to be in plaintext to
auto-fill forms/etc, was
stored on the local device(s) only?"

I suppose some scheme like:
1) keep local copies in hashed/encrypted store
2) upload said store to 'cloud' periodically (on change?)
3) download on new device / clear-all-browser-data events

If the hashed pile of data is 'simply' encrypted with 'gmail/google account
password'
(or that and some token from 'cloud') and decrypted in some form of
javascript functions...

Then only the local browser really knows the content of the hash-file,
right?
NOTE: I have no idea how chrome does it's thing here... but I expect the
code is
visible on chromium.org ? Perhaps even here:

https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/password_manager/


would be a good place to go digging into the code / hows / whys /
where-fores ?



>
>
> On Sat, Jun 12, 2021 at 10:30 AM William Herrin <bill@herrin.us> wrote:
>
>> On Sat, Jun 12, 2021 at 5:11 AM K. Scott Helms <kscott.helms@gmail.com>
>> wrote:
>> > Encryption != plain text, just because it's not a hash doesn't mean
>> it's problematic (if done correctly).
>>
>> Scott, Google's computer is able to compose an html document which
>> contains my passwords in plain text. Whatever dance they do to either
>> side of that point in their process, at that point they possess my
>> passwords in plain text. Why is this concept a mystery to anyone?
>>
>>
>> > This is the exact same method that every single password management
>> system uses and all are far better for the average user than trying to
>> reuse a single password or write them down.
>>
>> If I had authorized it, it would indeed be just like any other
>> password managing web site. I did not knowingly authorize it. They
>> snuck it on me.
>>
>> Regards,
>> Bill Herrin
>>
>>
>> --
>> William Herrin
>> bill@herrin.us
>> https://bill.herrin.us/
>>
>
Re: Google uploading your plain text passwords [ In reply to ]
On 12 Jun 2021, at 10.29, William Herrin <bill@herrin.us> wrote:
>
> They
> snuck it on me.

By hiding it right on the "browser features" page?
Re: Google uploading your plain text passwords [ In reply to ]
On Sat, Jun 12, 2021 at 1:31 PM Christopher Morrow <morrowc.lists@gmail.com>
wrote:

>
>
> On Sat, Jun 12, 2021 at 1:21 PM Tom Beecher <beecher@beecher.cc> wrote:
>
>> They
>>> snuck it on me.
>>>
>>
>> "I didn't notice this until now" != "They snuck one by the goalie."
>>
>>
> actually, i was wondering while reading this thread...
> (I mean this for clarity sake, not in a 'blame the victim' sort of way"
>
> "Did William think that password data, which had to be in plaintext to
> auto-fill forms/etc, was
> stored on the local device(s) only?"
>
> I suppose some scheme like:
> 1) keep local copies in hashed/encrypted store
> 2) upload said store to 'cloud' periodically (on change?)
> 3) download on new device / clear-all-browser-data events
>
> If the hashed pile of data is 'simply' encrypted with 'gmail/google
> account password'
> (or that and some token from 'cloud') and decrypted in some form of
> javascript functions...
>
> Then only the local browser really knows the content of the hash-file,
> right?
> NOTE: I have no idea how chrome does it's thing here... but I expect the
> code is
> visible on chromium.org ? Perhaps even here:
>
> https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/password_manager/
>
>
> would be a good place to go digging into the code / hows / whys /
> where-fores ?
>
>
The source.chromium site is neat, this query, for instance, finds where '
passwords.google.com' is in the code tree:

https://source.chromium.org/search?q=passwords.google.com&sq=&ss=chromium%2Fchromium%2Fsrc:chrome%2Fbrowser%2Fpassword_manager%2F

as a method to help track down the wherefores...


>
>
>>
>>
>> On Sat, Jun 12, 2021 at 10:30 AM William Herrin <bill@herrin.us> wrote:
>>
>>> On Sat, Jun 12, 2021 at 5:11 AM K. Scott Helms <kscott.helms@gmail.com>
>>> wrote:
>>> > Encryption != plain text, just because it's not a hash doesn't mean
>>> it's problematic (if done correctly).
>>>
>>> Scott, Google's computer is able to compose an html document which
>>> contains my passwords in plain text. Whatever dance they do to either
>>> side of that point in their process, at that point they possess my
>>> passwords in plain text. Why is this concept a mystery to anyone?
>>>
>>>
>>> > This is the exact same method that every single password management
>>> system uses and all are far better for the average user than trying to
>>> reuse a single password or write them down.
>>>
>>> If I had authorized it, it would indeed be just like any other
>>> password managing web site. I did not knowingly authorize it. They
>>> snuck it on me.
>>>
>>> Regards,
>>> Bill Herrin
>>>
>>>
>>> --
>>> William Herrin
>>> bill@herrin.us
>>> https://bill.herrin.us/
>>>
>>
Re: Google uploading your plain text passwords [ In reply to ]
On 12/06/2021 08:31, Damian Menscher via NANOG wrote:
>
>
> The Chrome password manager is convenient, and the sync can be
> incredibly handy (I can sign into stuff on different computers or even
> my phone without needing to copy over the passwords), but you might
> consider leaving your highest-value passwords out of that system, or
> really any system.  Personally, my financial passwords are not known by
> Chrome, myself, or even my password manager.  (Yes, you heard that right
> -- no single entity knows the passwords.  How?  By using a simple
> secret-splitting scheme -- I memorize part of the password, and my
> password manager stores the rest.)

Or:
https://doubleoctopus.com/

-Hank

>
> Damian
Re: Google uploading your plain text passwords [ In reply to ]
On Sat, Jun 12, 2021 at 12:33 PM Christopher Morrow
<morrowc.lists@gmail.com> wrote:
> [....]
> If the hashed pile of data is 'simply' encrypted with 'gmail/google account password'
> (or that and some token from 'cloud') and decrypted in some form of javascript functions...
> Then only the local browser really knows the content of the hash-file, right?

It seems that in this case, anyone who has any way of knowing the
content of the 'gmail/google account password' can know the content
of the hash-file.

Can you show that their servers don't also record anybody's account
password or keys derived from it?

If you login to their services, then you directly send them the
necessary piece of information to create that record, and often, so
even If they don't retain the browser account password in plaintext...
there are still ways for them to discover what that is: by adjusting
their login process at a later date to store some extra info. on
successful login, they would not even need to brute force whatever
hashing scheme they use to protect passwords.

This could be more expedient to them "for Support purposes" if they
later find many users Ask for help recovering their password vaults
from a forgotten account password - saving a copy might be more
convenient for their support than not saving a copy of keys.

If they don't store the key today in a way accessible to them, then
it's most likely 1 minor code change to some of their server(s) to mke
and
save a copy of that key derived from the authentication password on
the server side you just auth'd against, at some point

Such change could be made happen at any time, or intermittently, and
since it's code that would reside entirely on the servers, there would
be no possible means on the client of detecting that the server's now
keeping a copy of a login hash: when you just filled out the login
form in your web browser, etc.

Doesn't matter whether that would be a deliberate update in the future
due to a change in priorities and policies by management, Or some
rogue/misguided dev trying to solve a problem, or an actual malicious
actor; the result is the same -- They would have no obligation to
tell people that they're now saving the key; the servers can in
theory
possess both the data and the keys used to decrypt it both pieces of
info pass through systems completely administered by the same provider
at some point.

The end user has no visibility and lacks so much as a contract they
would breach by deploying the update.

> NOTE: I have no idea how chrome does it's thing here... but I expect the code is
> visible on chromium.org ? Perhaps even here:
--
-Jim
Re: Google uploading your plain text passwords [ In reply to ]
Scott, Google's computer is able to compose an html document which
contains my passwords in plain text. Whatever dance they do to either
side of that point in their process, at that point they possess my
passwords in plain text. Why is this concept a mystery to anyone?

Because it's wrong, they don't have your passwords you do (more accurately
your device does). They don't combine the decryption keys with the
encrypted data, your device does. This is the case whenever something is
encrypted rather than hashed. It's literally impossible to provide a
password saving mechanism that hashes the credentials.


If I had authorized it, it would indeed be just like any other
password managing web site. I did not knowingly authorize it. They
snuck it on me.

You did authorize, you just didn't read the fine print. Having said that,
this part of your complaint is definitely the one that has the most merit
IMO since if you enable it on mobile it directs you to a web page that you
can't see at that time.

If you're concerned then I'd recommend setting a synch phrase, which makes
it impossible for Google to decrypt the credentials without you inputting
it and they do not store it.

https://support.google.com/chrome/answer/165139?visit_id=637591216572649483-884903087&rd=1

Scott Helms



On Sat, Jun 12, 2021 at 10:29 AM William Herrin <bill@herrin.us> wrote:

> On Sat, Jun 12, 2021 at 5:11 AM K. Scott Helms <kscott.helms@gmail.com>
> wrote:
> > Encryption != plain text, just because it's not a hash doesn't mean it's
> problematic (if done correctly).
>
> Scott, Google's computer is able to compose an html document which
> contains my passwords in plain text. Whatever dance they do to either
> side of that point in their process, at that point they possess my
> passwords in plain text. Why is this concept a mystery to anyone?
>
>
> > This is the exact same method that every single password management
> system uses and all are far better for the average user than trying to
> reuse a single password or write them down.
>
> If I had authorized it, it would indeed be just like any other
> password managing web site. I did not knowingly authorize it. They
> snuck it on me.
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin
> bill@herrin.us
> https://bill.herrin.us/
>
Re: Google uploading your plain text passwords [ In reply to ]
Jim, I'd direct you to the bottom of my 1st message that says:
"I have no idea how this works, but..."

On Sat, Jun 12, 2021 at 2:35 PM Jim <mysidia@gmail.com> wrote:

>
> > NOTE: I have no idea how chrome does it's thing here... but I expect the
> code is
> > visible on chromium.org ? Perhaps even here:
>
> -chris
Re: Google uploading your plain text passwords [ In reply to ]
On Sat, Jun 12, 2021 at 12:10 PM K. Scott Helms <kscott.helms@gmail.com> wrote:
> Scott, Google's computer is able to compose an html document which
> contains my passwords in plain text. Whatever dance they do to either
> side of that point in their process, at that point they possess my
> passwords in plain text. Why is this concept a mystery to anyone?
>
> Because it's wrong, they don't have your passwords you do (more accurately your device does). They don't combine the decryption keys with the encrypted data, your device does.

Look buddy, I'm not lying. Google's server at passwords.google.com
composed an html web page containing my plaintext passwords and sent
it to me. Not decrypted by my browser after combining it with a
locally stored key. Decrypted on and by Google's server. It's not
wrong. It's not false. It happened just like that.


> You did authorize, you just didn't read the fine print.

I always read the fine print. I'm that guy. I don't always go
searching the menus for bad defaults but I always read everything they
bother to tell me I'm agreeing to.

Regards,
Bill Herrin


--
William Herrin
bill@herrin.us
https://bill.herrin.us/
Re: Google uploading your plain text passwords [ In reply to ]
On Sat, Jun 12, 2021 at 10:36 AM Max Harmony via NANOG <nanog@nanog.org> wrote:
> On 12 Jun 2021, at 10.29, William Herrin <bill@herrin.us> wrote:
>> They snuck it on me.
>
> By hiding it right on the "browser features" page?

By silenting defaulting it to enabled, damn right.

Regards,
Bill Herrin


--
William Herrin
bill@herrin.us
https://bill.herrin.us/
Re: Google uploading your plain text passwords [ In reply to ]
Bill,

I don't think you're lying, but you are mistaken.

"I'm not lying. Google's server at passwords.google.com
composed an html web page containing my plaintext passwords and sent
it to me. Not decrypted by my browser after combining it with a
locally stored key. "

So, you're not describing all of the possible ways to decrypt data. What's
happening is that the keys to decrypt the passwords are handed to your
client (with some checks like a local admin password or pin) when you
attempt to decrypt a given password. The passwords _are_ decrypted on your
device and you did not get a HTML page with your passwords. Please, go
look at the source yourself. What you got was a page that's almost
entirely javascript and that includes the functions that handle the
decryption.

Don't take my word for it, "When you log in to a website while signed in to
Chrome, Chrome encrypts your username and password with a secret key known
only to your device. Then it sends an obscured copy of your data to Google.
Because the encryption happens before Google’s servers get the information,
nobody, including Google, learns your username or password."

https://support.google.com/chrome/answer/10311524?hl=en#zippy=%2Chow-password-protection-works%2Chow-we-protect-your-data

If you want the technical details, please take a look at this paper. It
goes into detail about the process for Chrome, Firefox, and LastPass.

https://courses.csail.mit.edu/6.857/2020/projects/6-Vadari-Maccow-Lin-Baral.pdf

Scott Helms



On Sat, Jun 12, 2021 at 5:51 PM William Herrin <bill@herrin.us> wrote:

> On Sat, Jun 12, 2021 at 12:10 PM K. Scott Helms <kscott.helms@gmail.com>
> wrote:
> > Scott, Google's computer is able to compose an html document which
> > contains my passwords in plain text. Whatever dance they do to either
> > side of that point in their process, at that point they possess my
> > passwords in plain text. Why is this concept a mystery to anyone?
> >
> > Because it's wrong, they don't have your passwords you do (more
> accurately your device does). They don't combine the decryption keys with
> the encrypted data, your device does.
>
> Look buddy, I'm not lying. Google's server at passwords.google.com
> composed an html web page containing my plaintext passwords and sent
> it to me. Not decrypted by my browser after combining it with a
> locally stored key. Decrypted on and by Google's server. It's not
> wrong. It's not false. It happened just like that.
>
>
> > You did authorize, you just didn't read the fine print.
>
> I always read the fine print. I'm that guy. I don't always go
> searching the menus for bad defaults but I always read everything they
> bother to tell me I'm agreeing to.
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin
> bill@herrin.us
> https://bill.herrin.us/
>
Re: Google uploading your plain text passwords [ In reply to ]
>
> So, you're not describing all of the possible ways to decrypt data.
> What's happening is that the keys to decrypt the passwords are handed to
> your client (with some checks like a local admin password or pin) when you
> attempt to decrypt a given password. The passwords _are_ decrypted on your
> device and you did not get a HTML page with your passwords. Please, go
> look at the source yourself. What you got was a page that's almost
> entirely javascript and that includes the functions that handle the
> decryption.
>

This. Takes about 5 mins to figure out in the developer console.

On Sat, Jun 12, 2021 at 6:56 PM K. Scott Helms <kscott.helms@gmail.com>
wrote:

> Bill,
>
> I don't think you're lying, but you are mistaken.
>
> "I'm not lying. Google's server at passwords.google.com
> composed an html web page containing my plaintext passwords and sent
> it to me. Not decrypted by my browser after combining it with a
> locally stored key. "
>
> So, you're not describing all of the possible ways to decrypt data.
> What's happening is that the keys to decrypt the passwords are handed to
> your client (with some checks like a local admin password or pin) when you
> attempt to decrypt a given password. The passwords _are_ decrypted on your
> device and you did not get a HTML page with your passwords. Please, go
> look at the source yourself. What you got was a page that's almost
> entirely javascript and that includes the functions that handle the
> decryption.
>
> Don't take my word for it, "When you log in to a website while signed in
> to Chrome, Chrome encrypts your username and password with a secret key
> known only to your device. Then it sends an obscured copy of your data to
> Google. Because the encryption happens before Google’s servers get the
> information, nobody, including Google, learns your username or password."
>
>
> https://support.google.com/chrome/answer/10311524?hl=en#zippy=%2Chow-password-protection-works%2Chow-we-protect-your-data
>
> If you want the technical details, please take a look at this paper. It
> goes into detail about the process for Chrome, Firefox, and LastPass.
>
>
> https://courses.csail.mit.edu/6.857/2020/projects/6-Vadari-Maccow-Lin-Baral.pdf
>
> Scott Helms
>
>
>
> On Sat, Jun 12, 2021 at 5:51 PM William Herrin <bill@herrin.us> wrote:
>
>> On Sat, Jun 12, 2021 at 12:10 PM K. Scott Helms <kscott.helms@gmail.com>
>> wrote:
>> > Scott, Google's computer is able to compose an html document which
>> > contains my passwords in plain text. Whatever dance they do to either
>> > side of that point in their process, at that point they possess my
>> > passwords in plain text. Why is this concept a mystery to anyone?
>> >
>> > Because it's wrong, they don't have your passwords you do (more
>> accurately your device does). They don't combine the decryption keys with
>> the encrypted data, your device does.
>>
>> Look buddy, I'm not lying. Google's server at passwords.google.com
>> composed an html web page containing my plaintext passwords and sent
>> it to me. Not decrypted by my browser after combining it with a
>> locally stored key. Decrypted on and by Google's server. It's not
>> wrong. It's not false. It happened just like that.
>>
>>
>> > You did authorize, you just didn't read the fine print.
>>
>> I always read the fine print. I'm that guy. I don't always go
>> searching the menus for bad defaults but I always read everything they
>> bother to tell me I'm agreeing to.
>>
>> Regards,
>> Bill Herrin
>>
>>
>> --
>> William Herrin
>> bill@herrin.us
>> https://bill.herrin.us/
>>
>
Re: Google uploading your plain text passwords [ In reply to ]
On Sat, Jun 12, 2021 at 3:55 PM K. Scott Helms <kscott.helms@gmail.com> wrote:
> I don't think you're lying, but you are mistaken.
>
> "I'm not lying. Google's server at passwords.google.com
> composed an html web page containing my plaintext passwords and sent
> it to me. Not decrypted by my browser after combining it with a
> locally stored key. "
>
> So, you're not describing all of the possible ways to decrypt data. What's happening is that the keys to decrypt the passwords are handed to your client (with some checks like a local admin password or pin) when you attempt to decrypt a given password. The passwords _are_ decrypted on your device and you did not get a HTML page with your passwords. Please, go look at the source yourself. What you got was a page that's almost entirely javascript and that includes the functions that handle the decryption.
>
> Don't take my word for it, "When you log in to a website while signed in to Chrome, Chrome encrypts your username and password with a secret key known only to your device. Then it sends an obscured copy of your data to Google. Because the encryption happens before Google’s servers get the information, nobody, including Google, learns your username or password."

There's a problem with your theory. The browser I viewed the passwords
from Google in wasn't Chrome. And it didn't have a local copy of any
Google passwords or keys. The only place they could have come from was
Google's server.

Regards,
Bill Herrin



--
William Herrin
bill@herrin.us
https://bill.herrin.us/
Re: Google uploading your plain text passwords [ In reply to ]
Bill,

It's not a theory and it doesn't have to be Chrome to work. Javascript
does the work to decrypt the data and it's not browser specific.

Read the PDF I supplied that details_excatly_ how the key exchange and
encryption works.

Scott Helms



On Sat, Jun 12, 2021 at 10:35 PM William Herrin <bill@herrin.us> wrote:

> On Sat, Jun 12, 2021 at 3:55 PM K. Scott Helms <kscott.helms@gmail.com>
> wrote:
> > I don't think you're lying, but you are mistaken.
> >
> > "I'm not lying. Google's server at passwords.google.com
> > composed an html web page containing my plaintext passwords and sent
> > it to me. Not decrypted by my browser after combining it with a
> > locally stored key. "
> >
> > So, you're not describing all of the possible ways to decrypt data.
> What's happening is that the keys to decrypt the passwords are handed to
> your client (with some checks like a local admin password or pin) when you
> attempt to decrypt a given password. The passwords _are_ decrypted on your
> device and you did not get a HTML page with your passwords. Please, go
> look at the source yourself. What you got was a page that's almost
> entirely javascript and that includes the functions that handle the
> decryption.
> >
> > Don't take my word for it, "When you log in to a website while signed in
> to Chrome, Chrome encrypts your username and password with a secret key
> known only to your device. Then it sends an obscured copy of your data to
> Google. Because the encryption happens before Google’s servers get the
> information, nobody, including Google, learns your username or password."
>
> There's a problem with your theory. The browser I viewed the passwords
> from Google in wasn't Chrome. And it didn't have a local copy of any
> Google passwords or keys. The only place they could have come from was
> Google's server.
>
> Regards,
> Bill Herrin
>
>
>
> --
> William Herrin
> bill@herrin.us
> https://bill.herrin.us/
>
Re: Google uploading your plain text passwords [ In reply to ]
>
> There's a problem with your theory. The browser I viewed the passwords
> from Google in wasn't Chrome. And it didn't have a local copy of any
> Google passwords or keys. The only place they could have come from was
> Google's server.
>

Yes. The *encrypted* blob of login/password data was retrieved from
Google's servers over a TLS protected session. When you click on any
password to view it, the Javascript that it also downloaded presents you
with another password challenge, which when successful, the JS will then to
decrypt and display the data.

- Nothing is ever transmitted in the clear.
- The decryption as far I can see is only ever done locally. ( Using the OS
hooks if in Chrome, or Javascript via passwords.google.com. )

On Sat, Jun 12, 2021 at 10:36 PM William Herrin <bill@herrin.us> wrote:

> On Sat, Jun 12, 2021 at 3:55 PM K. Scott Helms <kscott.helms@gmail.com>
> wrote:
> > I don't think you're lying, but you are mistaken.
> >
> > "I'm not lying. Google's server at passwords.google.com
> > composed an html web page containing my plaintext passwords and sent
> > it to me. Not decrypted by my browser after combining it with a
> > locally stored key. "
> >
> > So, you're not describing all of the possible ways to decrypt data.
> What's happening is that the keys to decrypt the passwords are handed to
> your client (with some checks like a local admin password or pin) when you
> attempt to decrypt a given password. The passwords _are_ decrypted on your
> device and you did not get a HTML page with your passwords. Please, go
> look at the source yourself. What you got was a page that's almost
> entirely javascript and that includes the functions that handle the
> decryption.
> >
> > Don't take my word for it, "When you log in to a website while signed in
> to Chrome, Chrome encrypts your username and password with a secret key
> known only to your device. Then it sends an obscured copy of your data to
> Google. Because the encryption happens before Google’s servers get the
> information, nobody, including Google, learns your username or password."
>
> There's a problem with your theory. The browser I viewed the passwords
> from Google in wasn't Chrome. And it didn't have a local copy of any
> Google passwords or keys. The only place they could have come from was
> Google's server.
>
> Regards,
> Bill Herrin
>
>
>
> --
> William Herrin
> bill@herrin.us
> https://bill.herrin.us/
>
Re: Google uploading your plain text passwords [ In reply to ]
Has anyone used or looked at Bitwarden.

They have a commercial cloud version, but also there is a run it
yourself version.

There is a RUST port called vaultwarden with docker images.

Anyone have any experience with this particular password manager?

Geoff


On 6/13/21 11:12 AM, Tom Beecher wrote:
>
> There's a problem with your theory. The browser I viewed the passwords
> from Google in wasn't Chrome. And it didn't have a local copy of any
> Google passwords or keys. The only place they could have come from was
> Google's server.
>
>
> Yes. The *encrypted* blob of login/password data was retrieved from
> Google's servers over a TLS protected session. When you click on any
> password to view it, the Javascript that it also downloaded presents
> you with another password challenge, which when successful, the JS
> will then to decrypt and display the data.
>
> - Nothing is ever transmitted in the clear.
> - The decryption as far I can see is only ever done locally. ( Using
> the OS hooks if in Chrome, or Javascript via passwords.google.com
> <http://passwords.google.com>. )
>
> On Sat, Jun 12, 2021 at 10:36 PM William Herrin <bill@herrin.us
> <mailto:bill@herrin.us>> wrote:
>
> On Sat, Jun 12, 2021 at 3:55 PM K. Scott Helms
> <kscott.helms@gmail.com <mailto:kscott.helms@gmail.com>> wrote:
> > I don't think you're lying, but you are mistaken.
> >
> > "I'm not lying. Google's server at passwords.google.com
> <http://passwords.google.com>
> > composed an html web page containing my plaintext passwords and sent
> > it to me. Not decrypted by my browser after combining it with a
> > locally stored key. "
> >
> > So, you're not describing all of the possible ways to decrypt
> data.  What's happening is that the keys to decrypt the passwords
> are handed to your client (with some checks like a local admin
> password or pin) when you attempt to decrypt a given password. 
> The passwords _are_ decrypted on your device and you did not get a
> HTML page with your passwords.  Please, go look at the source
> yourself.  What you got was a page that's almost entirely
> javascript and that includes the functions that handle the decryption.
> >
> > Don't take my word for it, "When you log in to a website while
> signed in to Chrome, Chrome encrypts your username and password
> with a secret key known only to your device. Then it sends an
> obscured copy of your data to Google. Because the encryption
> happens before Google’s servers get the information, nobody,
> including Google, learns your username or password."
>
> There's a problem with your theory. The browser I viewed the passwords
> from Google in wasn't Chrome. And it didn't have a local copy of any
> Google passwords or keys. The only place they could have come from was
> Google's server.
>
> Regards,
> Bill Herrin
>
>
>
> --
> William Herrin
> bill@herrin.us <mailto:bill@herrin.us>
> https://bill.herrin.us/ <https://bill.herrin.us/>
>
Re: Google uploading your plain text passwords [ In reply to ]
I am not the brightest bulb in the house, but when I try to go to
passwords.google.com, I get the following response:

Google can't check your passwords for security issues because you set up a
> passphrase to encrypt your passwords in your Google Account. This keeps the
> data private to you. Learn more.
> <https://support.google.com/chrome/bin/answer/165139?hl=en>


This occurs on my Google Chrome browser, which does sync my passwords
between devices because I have the browser signed into my personal account,
and my Brave browser, which is never signed in with any Google accounts.

I don't remember setting a passphrase, but apparently I did. I can't
remember if I did that because I did see a behaviour, such as showing me
all my passwords with little to no effort, or it was offered as a security
feature and I said, "Yes, please."

Jason K Pope
214.566.8527
boards188@gmail.com
Greater love has no one than this, that one lay down his life for his
friends.
John 15:13

1 2  View All