Re: Google uploading your plain text passwords

[César de Tassis Filho <ctassisf () gmail com>]

Google uses your Google Account's password to encrypt passwords synced to
the cloud. That is why passwords saved on Android and synced to the cloud
can be read elsewhere (including passwords.google.com).

As I mentioned before, if you want to avoid this behavior Google offers you
a way to use a different sync passphrase (which inhibits access to
passwords.google.com and also disables other features). Instructions here:
https://support.google.com/chrome/answer/165139#passphrase

César

On Fri, Jun 11, 2021 at 4:50 PM Matthew Petach <mpetach () netflight com>
wrote:

> On Fri, Jun 11, 2021 at 12:32 PM Peter Beckman <beckman () angryox com>
> wrote:
>
> > On Fri, 11 Jun 2021, William Herrin wrote:
> >
> > > On Fri, Jun 11, 2021 at 9:42 AM César de Tassis Filho
> > > <ctassisf () gmail com> wrote:
> > > > Google does not have access to your plain-text passwords in either
> > case.
> > > If they can display the plain text passwords to me on my screen in a
> > > non-Google web browser then they have access to my plain text
> > > passwords. Everything else is semantics.
> >
> >   Untrue. If you have a key on your computer, such as was mentioned that
> >   the Google key may be stored locally in the MacOS Keychain, and you
> > unlock
> >   your MacOS Keychain with your local laptop login password, which is also
> >   stored on an encrypted disk volume, that does not mean those passwords
> >   have left your computer in plain text, or that Google has this key that
> >   lives in your keychain.
> >
> >   I agree, if they do, that's terrible. But I haven't seen any evidence
> > that
> >   they do.
>
> However, if the password is entered on one device (Android device, for
> example,
> as mentioned in the original post), and then is visible in clear-text on a
> different
> browser on a different device (laptop, for example, again, from the
> original post),
> then clearly the password has left the original device in a form which is
> reversible
> to the original clear text.  You can argue that it may be stored "in the
> cloud" in
> encrypted form; but it's clearly being stored in a manner which can be
> reversed
> to gain access to the original clear text, and using a key which is known
> to both
> devices involved, and to the cloud system validating that authentication.
>
> This isn't about seeing the passwords in clear text on the same device
> upon which they were entered; this is about a *separate* device having
> visible access to the clear text of a password that was not entered via
> that device.
>
> If the laptop had required Bill to enter a decryption key first in order
> to
> see the clear text, and that decryption key was one he had manually
> configured on both devices, stored only locally on each device, then
> you might be able to argue that the cloud never has visibility into the
> passwords; but if the keys are encrypted using a gmail login credential,
> which is itself stored and verified within the same cloud environment as
> the encrypted password strings it is protecting, then your two factor
> security has collapsed back down into a single point of compromise;
> compromise the google password, and you have access to all the
> passwords that were uploaded and stored in the system unbeknownst
> to the user.
>
> That's the part that would leave me concerned.
> Having my email password compromised?
> That's a bit of a "meh" moment.
> Suddenly discovering that one password now gave access to
> potentially all my financial accounts as well?
> That's a wake up in the night with cold sweats moment.  :(
>
> Matt