Re: Google uploading your plain text passwords

[Christopher Morrow <morrowc.lists () gmail com>]

On Sat, Jun 12, 2021 at 1:31 PM Christopher Morrow <morrowc.lists () gmail com>
wrote:

> On Sat, Jun 12, 2021 at 1:21 PM Tom Beecher <beecher () beecher cc> wrote:
>
> > They
> > > snuck it on me.
> >
> > "I didn't notice this until now" != "They snuck one by the goalie."
> actually, i was wondering while reading this thread...
> (I mean this for clarity sake, not in a 'blame the victim' sort of way"
>
> "Did William think that password data, which had to be in plaintext to
> auto-fill forms/etc, was
> stored on the local device(s) only?"
>
> I suppose some scheme like:
>   1) keep local copies in hashed/encrypted store
>   2) upload said store to 'cloud' periodically (on change?)
>   3) download on new device / clear-all-browser-data events
>
> If the hashed pile of data is 'simply' encrypted with 'gmail/google
> account password'
> (or that and some token from 'cloud') and decrypted in some form of
> javascript functions...
>
> Then only the local browser really knows the content of the hash-file,
> right?
> NOTE: I have no idea how chrome does it's thing here... but I expect the
> code is
> visible on chromium.org ? Perhaps even here:
>
> https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/password_manager/
>
>
> would be a good place to go digging into the code / hows / whys /
> where-fores ?
The source.chromium site is neat, this query, for instance, finds where '
passwords.google.com' is in the code tree:

https://source.chromium.org/search?q=passwords.google.com&sq=&ss=chromium%2Fchromium%2Fsrc:chrome%2Fbrowser%2Fpassword_manager%2F

as a method to help track down the wherefores...


> > On Sat, Jun 12, 2021 at 10:30 AM William Herrin <bill () herrin us> wrote:
> >
> > > On Sat, Jun 12, 2021 at 5:11 AM K. Scott Helms <kscott.helms () gmail com>
> > > wrote:
> > > > Encryption != plain text, just because it's not a hash doesn't mean
> > > it's problematic (if done correctly).
> > >
> > > Scott, Google's computer is able to compose an html document which
> > > contains my passwords in plain text. Whatever dance they do to either
> > > side of that point in their process, at that point they possess my
> > > passwords in plain text. Why is this concept a mystery to anyone?
> > >
> > >
> > > > This is the exact same method that every single password management
> > > system uses and all are far better for the average user than trying to
> > > reuse a single password or write them down.
> > >
> > > If I had authorized it, it would indeed be just like any other
> > > password managing web site. I did not knowingly authorize it. They
> > > snuck it on me.
> > >
> > > Regards,
> > > Bill Herrin
> > >
> > >
> > > --
> > > William Herrin
> > > bill () herrin us
> > > https://bill.herrin.us/