On Sat, Jun 12, 2021 at 1:31 PM Christopher Morrow <morrowc.lists@gmail.com> wrote:


On Sat, Jun 12, 2021 at 1:21 PM Tom Beecher <beecher@beecher.cc> wrote:
They
snuck it on me.

"I didn't notice this until now" != "They snuck one by the goalie."


actually, i was wondering while reading this thread...
(I mean this for clarity sake, not in a 'blame the victim' sort of way"

"Did William think that password data, which had to be in plaintext to auto-fill forms/etc, was
stored on the local device(s) only?"

I suppose some scheme like:
  1) keep local copies in hashed/encrypted store
  2) upload said store to 'cloud' periodically (on change?)
  3) download on new device / clear-all-browser-data events

If the hashed pile of data is 'simply' encrypted with 'gmail/google account password'
(or that and some token from 'cloud') and decrypted in some form of javascript functions...

Then only the local browser really knows the content of the hash-file, right?
NOTE: I have no idea how chrome does it's thing here... but I expect the code is

would be a good place to go digging into the code / hows / whys / where-fores ?


The source.chromium site is neat, this query, for instance, finds where 'passwords.google.com' is in the code tree:
  https://source.chromium.org/search?q=passwords.google.com&sq=&ss=chromium%2Fchromium%2Fsrc:chrome%2Fbrowser%2Fpassword_manager%2F

as a method to help track down the wherefores...
 
 


On Sat, Jun 12, 2021 at 10:30 AM William Herrin <bill@herrin.us> wrote:
On Sat, Jun 12, 2021 at 5:11 AM K. Scott Helms <kscott.helms@gmail.com> wrote:
> Encryption != plain text, just because it's not a hash doesn't mean it's problematic (if done correctly).

Scott, Google's computer is able to compose an html document which
contains my passwords in plain text. Whatever dance they do to either
side of that point in their process, at that point they possess my
passwords in plain text. Why is this concept a mystery to anyone?


> This is the exact same method that every single password management system uses and all are far better for the average user than trying to reuse a single password or write them down.

If I had authorized it, it would indeed be just like any other
password managing web site. I did not knowingly authorize it. They
snuck it on me.

Regards,
Bill Herrin


--
William Herrin
bill@herrin.us
https://bill.herrin.us/