On Sat, Jun 12, 2021 at 1:21 PM Tom Beecher <beec...@beecher.cc> wrote:
> They >> snuck it on me. >> > > "I didn't notice this until now" != "They snuck one by the goalie." > > actually, i was wondering while reading this thread... (I mean this for clarity sake, not in a 'blame the victim' sort of way" "Did William think that password data, which had to be in plaintext to auto-fill forms/etc, was stored on the local device(s) only?" I suppose some scheme like: 1) keep local copies in hashed/encrypted store 2) upload said store to 'cloud' periodically (on change?) 3) download on new device / clear-all-browser-data events If the hashed pile of data is 'simply' encrypted with 'gmail/google account password' (or that and some token from 'cloud') and decrypted in some form of javascript functions... Then only the local browser really knows the content of the hash-file, right? NOTE: I have no idea how chrome does it's thing here... but I expect the code is visible on chromium.org ? Perhaps even here: https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/password_manager/ would be a good place to go digging into the code / hows / whys / where-fores ? > > > On Sat, Jun 12, 2021 at 10:30 AM William Herrin <b...@herrin.us> wrote: > >> On Sat, Jun 12, 2021 at 5:11 AM K. Scott Helms <kscott.he...@gmail.com> >> wrote: >> > Encryption != plain text, just because it's not a hash doesn't mean >> it's problematic (if done correctly). >> >> Scott, Google's computer is able to compose an html document which >> contains my passwords in plain text. Whatever dance they do to either >> side of that point in their process, at that point they possess my >> passwords in plain text. Why is this concept a mystery to anyone? >> >> >> > This is the exact same method that every single password management >> system uses and all are far better for the average user than trying to >> reuse a single password or write them down. >> >> If I had authorized it, it would indeed be just like any other >> password managing web site. I did not knowingly authorize it. They >> snuck it on me. >> >> Regards, >> Bill Herrin >> >> >> -- >> William Herrin >> b...@herrin.us >> https://bill.herrin.us/ >> >