Scott, Google's computer is able to compose an html document which
contains my passwords in plain text. Whatever dance they do to either
side of that point in their process, at that point they possess my
passwords in plain text. Why is this concept a mystery to anyone?

Because it's wrong, they don't have your passwords you do (more accurately your device does).  They don't combine the decryption keys with the encrypted data, your device does. This is the case whenever something is encrypted rather than hashed.  It's literally impossible to provide a password saving mechanism that hashes the credentials.


  If I had authorized it, it would indeed be just like any other
password managing web site. I did not knowingly authorize it. They
snuck it on me.

You did authorize, you just didn't read the fine print.  Having said that, this part of your complaint is definitely the one that has the most merit IMO since if you enable it on mobile it directs you to a web page that you can't see at that time.

If you're concerned then I'd recommend setting a synch phrase, which makes it impossible for Google to decrypt the credentials without you inputting it and they do not store it.

https://support.google.com/chrome/answer/165139?visit_id=637591216572649483-884903087&rd=1

Scott Helms



On Sat, Jun 12, 2021 at 10:29 AM William Herrin <bill@herrin.us> wrote:
On Sat, Jun 12, 2021 at 5:11 AM K. Scott Helms <kscott.helms@gmail.com> wrote:
> Encryption != plain text, just because it's not a hash doesn't mean it's problematic (if done correctly).

Scott, Google's computer is able to compose an html document which
contains my passwords in plain text. Whatever dance they do to either
side of that point in their process, at that point they possess my
passwords in plain text. Why is this concept a mystery to anyone?


> This is the exact same method that every single password management system uses and all are far better for the average user than trying to reuse a single password or write them down.

If I had authorized it, it would indeed be just like any other
password managing web site. I did not knowingly authorize it. They
snuck it on me.

Regards,
Bill Herrin


--
William Herrin
bill@herrin.us
https://bill.herrin.us/