On Sat, Jun 12, 2021 at 1:21 PM Tom Beecher <beecher@beecher.cc> wrote:
They
snuck it on me.
"I didn't notice this until now" != "They snuck one by the goalie."
actually, i was wondering while reading this thread... (I mean this for clarity sake, not in a 'blame the victim' sort of way" "Did William think that password data, which had to be in plaintext to auto-fill forms/etc, was stored on the local device(s) only?" I suppose some scheme like: 1) keep local copies in hashed/encrypted store 2) upload said store to 'cloud' periodically (on change?) 3) download on new device / clear-all-browser-data events If the hashed pile of data is 'simply' encrypted with 'gmail/google account password' (or that and some token from 'cloud') and decrypted in some form of javascript functions... Then only the local browser really knows the content of the hash-file, right? NOTE: I have no idea how chrome does it's thing here... but I expect the code is visible on chromium.org ? Perhaps even here: https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/pass... would be a good place to go digging into the code / hows / whys / where-fores ?
On Sat, Jun 12, 2021 at 10:30 AM William Herrin <bill@herrin.us> wrote:
On Sat, Jun 12, 2021 at 5:11 AM K. Scott Helms <kscott.helms@gmail.com> wrote:
Encryption != plain text, just because it's not a hash doesn't mean it's problematic (if done correctly).
Scott, Google's computer is able to compose an html document which contains my passwords in plain text. Whatever dance they do to either side of that point in their process, at that point they possess my passwords in plain text. Why is this concept a mystery to anyone?
This is the exact same method that every single password management system uses and all are far better for the average user than trying to reuse a single password or write them down.
If I had authorized it, it would indeed be just like any other password managing web site. I did not knowingly authorize it. They snuck it on me.
Regards, Bill Herrin
-- William Herrin bill@herrin.us https://bill.herrin.us/