nanog mailing list archives
Re: Google uploading your plain text passwords
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Sat, 12 Jun 2021 13:33:35 -0400
On Sat, Jun 12, 2021 at 1:31 PM Christopher Morrow <morrowc.lists () gmail com> wrote:
On Sat, Jun 12, 2021 at 1:21 PM Tom Beecher <beecher () beecher cc> wrote:Theysnuck it on me."I didn't notice this until now" != "They snuck one by the goalie."actually, i was wondering while reading this thread... (I mean this for clarity sake, not in a 'blame the victim' sort of way" "Did William think that password data, which had to be in plaintext to auto-fill forms/etc, was stored on the local device(s) only?" I suppose some scheme like: 1) keep local copies in hashed/encrypted store 2) upload said store to 'cloud' periodically (on change?) 3) download on new device / clear-all-browser-data events If the hashed pile of data is 'simply' encrypted with 'gmail/google account password' (or that and some token from 'cloud') and decrypted in some form of javascript functions... Then only the local browser really knows the content of the hash-file, right? NOTE: I have no idea how chrome does it's thing here... but I expect the code is visible on chromium.org ? Perhaps even here: https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/password_manager/ would be a good place to go digging into the code / hows / whys / where-fores ?
The source.chromium site is neat, this query, for instance, finds where ' passwords.google.com' is in the code tree: https://source.chromium.org/search?q=passwords.google.com&sq=&ss=chromium%2Fchromium%2Fsrc:chrome%2Fbrowser%2Fpassword_manager%2F as a method to help track down the wherefores...
On Sat, Jun 12, 2021 at 10:30 AM William Herrin <bill () herrin us> wrote:On Sat, Jun 12, 2021 at 5:11 AM K. Scott Helms <kscott.helms () gmail com> wrote:Encryption != plain text, just because it's not a hash doesn't meanit's problematic (if done correctly). Scott, Google's computer is able to compose an html document which contains my passwords in plain text. Whatever dance they do to either side of that point in their process, at that point they possess my passwords in plain text. Why is this concept a mystery to anyone?This is the exact same method that every single password managementsystem uses and all are far better for the average user than trying to reuse a single password or write them down. If I had authorized it, it would indeed be just like any other password managing web site. I did not knowingly authorize it. They snuck it on me. Regards, Bill Herrin -- William Herrin bill () herrin us https://bill.herrin.us/
Current thread:
- Re: Google uploading your plain text passwords, (continued)
- Re: Google uploading your plain text passwords Matthew Petach (Jun 11)
- Re: Google uploading your plain text passwords César de Tassis Filho (Jun 11)
- Re: Google uploading your plain text passwords William Herrin (Jun 11)
- Re: Google uploading your plain text passwords Damian Menscher via NANOG (Jun 11)
- Re: Google uploading your plain text passwords Hank Nussbacher (Jun 12)
- Re: Google uploading your plain text passwords Anoop Ghanwani (Jun 11)
- Re: Google uploading your plain text passwords K. Scott Helms (Jun 12)
- Re: Google uploading your plain text passwords William Herrin (Jun 12)
- Re: Google uploading your plain text passwords Tom Beecher (Jun 12)
- Re: Google uploading your plain text passwords Christopher Morrow (Jun 12)
- Re: Google uploading your plain text passwords Christopher Morrow (Jun 12)
- Re: Google uploading your plain text passwords Jim (Jun 12)
- Re: Google uploading your plain text passwords Christopher Morrow (Jun 12)
- Re: Google uploading your plain text passwords Max Harmony via NANOG (Jun 12)
- Re: Google uploading your plain text passwords William Herrin (Jun 12)
- Re: Google uploading your plain text passwords K. Scott Helms (Jun 12)
- Re: Google uploading your plain text passwords William Herrin (Jun 12)
- Re: Google uploading your plain text passwords K. Scott Helms (Jun 12)
- Re: Google uploading your plain text passwords Tom Beecher (Jun 12)
- Re: Google uploading your plain text passwords William Herrin (Jun 12)
- Re: Google uploading your plain text passwords K. Scott Helms (Jun 13)