nanog mailing list archives
Re: Google uploading your plain text passwords
From: "K. Scott Helms" <kscott.helms () gmail com>
Date: Sat, 12 Jun 2021 15:10:24 -0400
Scott, Google's computer is able to compose an html document which contains my passwords in plain text. Whatever dance they do to either side of that point in their process, at that point they possess my passwords in plain text. Why is this concept a mystery to anyone? Because it's wrong, they don't have your passwords you do (more accurately your device does). They don't combine the decryption keys with the encrypted data, your device does. This is the case whenever something is encrypted rather than hashed. It's literally impossible to provide a password saving mechanism that hashes the credentials. If I had authorized it, it would indeed be just like any other password managing web site. I did not knowingly authorize it. They snuck it on me. You did authorize, you just didn't read the fine print. Having said that, this part of your complaint is definitely the one that has the most merit IMO since if you enable it on mobile it directs you to a web page that you can't see at that time. If you're concerned then I'd recommend setting a synch phrase, which makes it impossible for Google to decrypt the credentials without you inputting it and they do not store it. https://support.google.com/chrome/answer/165139?visit_id=637591216572649483-884903087&rd=1 Scott Helms On Sat, Jun 12, 2021 at 10:29 AM William Herrin <bill () herrin us> wrote:
On Sat, Jun 12, 2021 at 5:11 AM K. Scott Helms <kscott.helms () gmail com> wrote:Encryption != plain text, just because it's not a hash doesn't mean it'sproblematic (if done correctly). Scott, Google's computer is able to compose an html document which contains my passwords in plain text. Whatever dance they do to either side of that point in their process, at that point they possess my passwords in plain text. Why is this concept a mystery to anyone?This is the exact same method that every single password managementsystem uses and all are far better for the average user than trying to reuse a single password or write them down. If I had authorized it, it would indeed be just like any other password managing web site. I did not knowingly authorize it. They snuck it on me. Regards, Bill Herrin -- William Herrin bill () herrin us https://bill.herrin.us/
Current thread:
- Re: Google uploading your plain text passwords, (continued)
- Re: Google uploading your plain text passwords Anoop Ghanwani (Jun 11)
- Re: Google uploading your plain text passwords K. Scott Helms (Jun 12)
- Re: Google uploading your plain text passwords William Herrin (Jun 12)
- Re: Google uploading your plain text passwords Tom Beecher (Jun 12)
- Re: Google uploading your plain text passwords Christopher Morrow (Jun 12)
- Re: Google uploading your plain text passwords Christopher Morrow (Jun 12)
- Re: Google uploading your plain text passwords Jim (Jun 12)
- Re: Google uploading your plain text passwords Christopher Morrow (Jun 12)
- Re: Google uploading your plain text passwords Max Harmony via NANOG (Jun 12)
- Re: Google uploading your plain text passwords William Herrin (Jun 12)
- Re: Google uploading your plain text passwords K. Scott Helms (Jun 12)
- Re: Google uploading your plain text passwords William Herrin (Jun 12)
- Re: Google uploading your plain text passwords K. Scott Helms (Jun 12)
- Re: Google uploading your plain text passwords Tom Beecher (Jun 12)
- Re: Google uploading your plain text passwords William Herrin (Jun 12)
- Re: Google uploading your plain text passwords K. Scott Helms (Jun 13)
- Re: Google uploading your plain text passwords Tom Beecher (Jun 13)
- Re: Google uploading your plain text passwords nanog08 (Jun 13)