Re: Google uploading your plain text passwords

[nanog08 () mulligan org]

Has anyone used or looked at Bitwarden.

They have a commercial cloud version, but also there is a run it 
yourself version.

There is a RUST port called vaultwarden with docker images.

Anyone have any experience with this particular password manager?

Geoff


On 6/13/21 11:12 AM, Tom Beecher wrote:
>     There's a problem with your theory. The browser I viewed the passwords
>     from Google in wasn't Chrome. And it didn't have a local copy of any
>     Google passwords or keys. The only place they could have come from was
>     Google's server.
>
>
> Yes. The *encrypted* blob of login/password data was retrieved from 
> Google's servers over a TLS protected session. When you click on any 
> password to view it, the Javascript that it also downloaded presents 
> you with another password challenge, which when successful, the JS 
> will then to decrypt and display the data.
>
> - Nothing is ever transmitted in the clear.
> - The decryption as far I can see is only ever done locally. ( Using 
> the OS hooks if in Chrome, or Javascript via passwords.google.com 
> <http://passwords.google.com>. )
>
> On Sat, Jun 12, 2021 at 10:36 PM William Herrin <bill () herrin us 
> <mailto:bill () herrin us>> wrote:
>
>     On Sat, Jun 12, 2021 at 3:55 PM K. Scott Helms
>     <kscott.helms () gmail com <mailto:kscott.helms () gmail com>> wrote:
>     > I don't think you're lying, but you are mistaken.
>     >
>     > "I'm not lying. Google's server at passwords.google.com
>     <http://passwords.google.com>
>     > composed an html web page containing my plaintext passwords and sent
>     > it to me. Not decrypted by my browser after combining it with a
>     > locally stored key. "
>     >
>     > So, you're not describing all of the possible ways to decrypt
>     data.  What's happening is that the keys to decrypt the passwords
>     are handed to your client (with some checks like a local admin
>     password or pin) when you attempt to decrypt a given password. 
>     The passwords _are_ decrypted on your device and you did not get a
>     HTML page with your passwords.  Please, go look at the source
>     yourself.  What you got was a page that's almost entirely
>     javascript and that includes the functions that handle the decryption.
>     >
>     > Don't take my word for it, "When you log in to a website while
>     signed in to Chrome, Chrome encrypts your username and password
>     with a secret key known only to your device. Then it sends an
>     obscured copy of your data to Google. Because the encryption
>     happens before Google’s servers get the information, nobody,
>     including Google, learns your username or password."
>
>     There's a problem with your theory. The browser I viewed the passwords
>     from Google in wasn't Chrome. And it didn't have a local copy of any
>     Google passwords or keys. The only place they could have come from was
>     Google's server.
>
>     Regards,
>     Bill Herrin
>
>
>
>     -- 
>     William Herrin
>     bill () herrin us <mailto:bill () herrin us>
>     https://bill.herrin.us/ <https://bill.herrin.us/>