I am not the brightest bulb in the house, but when I try to go to
passwords.google.com, I get the following response:
Google can't check your passwords for security issues because you set up a
> passphrase to encrypt your passwords in your Google Account. This keeps the
> data private to you.
Has anyone used or looked at Bitwarden.
They have a commercial cloud version, but also there is a run it
yourself version.
There is a RUST port called vaultwarden with docker images.
Anyone have any experience with this particular password manager?
Geoff
On 6/13/21 11:12 AM, Tom Beecher
>
> There's a problem with your theory. The browser I viewed the passwords
> from Google in wasn't Chrome. And it didn't have a local copy of any
> Google passwords or keys. The only place they could have come from was
> Google's server.
>
Yes. The *encrypted* blob of login/password data was
Bill,
It's not a theory and it doesn't have to be Chrome to work. Javascript
does the work to decrypt the data and it's not browser specific.
Read the PDF I supplied that details_excatly_ how the key exchange and
encryption works.
Scott Helms
On Sat, Jun 12, 2021 at 10:35 PM William Herrin
On Sat, Jun 12, 2021 at 3:55 PM K. Scott Helms wrote:
> I don't think you're lying, but you are mistaken.
>
> "I'm not lying. Google's server at passwords.google.com
> composed an html web page containing my plaintext passwords and sent
> it to me. Not decrypted by my browser after combining it
>
> So, you're not describing all of the possible ways to decrypt data.
> What's happening is that the keys to decrypt the passwords are handed to
> your client (with some checks like a local admin password or pin) when you
> attempt to decrypt a given password. The passwords _are_ decrypted on
Bill,
I don't think you're lying, but you are mistaken.
"I'm not lying. Google's server at passwords.google.com
composed an html web page containing my plaintext passwords and sent
it to me. Not decrypted by my browser after combining it with a
locally stored key. "
So, you're not describing
On Sat, Jun 12, 2021 at 10:36 AM Max Harmony via NANOG wrote:
> On 12 Jun 2021, at 10.29, William Herrin wrote:
>> They snuck it on me.
>
> By hiding it right on the "browser features" page?
By silenting defaulting it to enabled, damn right.
Regards,
Bill Herrin
--
William Herrin
On Sat, Jun 12, 2021 at 12:10 PM K. Scott Helms wrote:
> Scott, Google's computer is able to compose an html document which
> contains my passwords in plain text. Whatever dance they do to either
> side of that point in their process, at that point they possess my
> passwords in plain text. Why
Jim, I'd direct you to the bottom of my 1st message that says:
"I have no idea how this works, but..."
On Sat, Jun 12, 2021 at 2:35 PM Jim wrote:
>
> > NOTE: I have no idea how chrome does it's thing here... but I expect the
> code is
> > visible on chromium.org ? Perhaps even here:
>
>
Scott, Google's computer is able to compose an html document which
contains my passwords in plain text. Whatever dance they do to either
side of that point in their process, at that point they possess my
passwords in plain text. Why is this concept a mystery to anyone?
Because it's wrong, they
On Sat, Jun 12, 2021 at 12:33 PM Christopher Morrow
wrote:
> []
> If the hashed pile of data is 'simply' encrypted with 'gmail/google account
> password'
> (or that and some token from 'cloud') and decrypted in some form of
> javascript functions...
> Then only the local browser really
On 12/06/2021 08:31, Damian Menscher via NANOG wrote:
The Chrome password manager is convenient, and the sync can be
incredibly handy (I can sign into stuff on different computers or even
my phone without needing to copy over the passwords), but you might
consider leaving your highest-value
On Sat, Jun 12, 2021 at 1:31 PM Christopher Morrow
wrote:
>
>
> On Sat, Jun 12, 2021 at 1:21 PM Tom Beecher wrote:
>
>> They
>>> snuck it on me.
>>>
>>
>> "I didn't notice this until now" != "They snuck one by the goalie."
>>
>>
> actually, i was wondering while reading this thread...
> (I mean
On 12 Jun 2021, at 10.29, William Herrin wrote:
>
> They
> snuck it on me.
By hiding it right on the "browser features" page?
signature.asc
Description: Message signed with OpenPGP
On Sat, Jun 12, 2021 at 1:21 PM Tom Beecher wrote:
> They
>> snuck it on me.
>>
>
> "I didn't notice this until now" != "They snuck one by the goalie."
>
>
actually, i was wondering while reading this thread...
(I mean this for clarity sake, not in a 'blame the victim' sort of way"
"Did William
>
> They
> snuck it on me.
>
"I didn't notice this until now" != "They snuck one by the goalie."
On Sat, Jun 12, 2021 at 10:30 AM William Herrin wrote:
> On Sat, Jun 12, 2021 at 5:11 AM K. Scott Helms
> wrote:
> > Encryption != plain text, just because it's not a hash doesn't mean it's
>
On Sat, Jun 12, 2021 at 5:11 AM K. Scott Helms wrote:
> Encryption != plain text, just because it's not a hash doesn't mean it's
> problematic (if done correctly).
Scott, Google's computer is able to compose an html document which
contains my passwords in plain text. Whatever dance they do to
Encryption != plain text, just because it's not a hash doesn't mean it's
problematic (if done correctly). This is the exact same method that every
single password management system uses and all are far better for the
average user than trying to reuse a single password or write them down.
Scott
On Fri, Jun 11, 2021 at 12:51 PM Matthew Petach
wrote:
>
> Having my email password compromised?
> That's a bit of a "meh" moment.
> Suddenly discovering that one password now gave access to
> potentially all my financial accounts as well?
> That's a wake up in the night with cold sweats moment.
On Fri, Jun 11, 2021 at 12:48 PM Matthew Petach
wrote:
>
> That's the part that would leave me concerned.
> Having my email password compromised?
> That's a bit of a "meh" moment.
> Suddenly discovering that one password now gave access to
> potentially all my financial accounts as well?
>
-- Forwarded message -
From: William Herrin
Date: Fri, 11 Jun 2021, 17:04
Subject: Google uploading your plain text passwords
To: nanog@nanog.org
Howdy,
My gmail account prompted me today to change a compromised password.
It wasn't compromised; it was an offline system where I
On Fri, Jun 11, 2021 at 1:05 PM César de Tassis Filho
wrote:
> Google uses your Google Account's password to encrypt passwords synced to the
> cloud. That is why passwords saved on Android and synced to the cloud can be
> read elsewhere (including passwords.google.com).
>
> As I mentioned
On Fri, Jun 11, 2021 at 12:01 PM William Herrin wrote:
> On Fri, Jun 11, 2021 at 10:27 AM Michael Thomas wrote:
> > Isn't that what lots of password managers do? I understand that one of
> them syncs point to point, but that has the downside that it probably needs
> to be on the same subnet.
>
Google uses your Google Account's password to encrypt passwords synced to
the cloud. That is why passwords saved on Android and synced to the cloud
can be read elsewhere (including passwords.google.com).
As I mentioned before, if you want to avoid this behavior Google offers you
a way to use a
On Fri, Jun 11, 2021 at 12:32 PM Peter Beckman wrote:
> On Fri, 11 Jun 2021, William Herrin wrote:
>
> > On Fri, Jun 11, 2021 at 9:42 AM César de Tassis Filho
> > wrote:
> >> Google does not have access to your plain-text passwords in either case.
> >
> > If they can display the plain text
On Fri, 11 Jun 2021, William Herrin wrote:
On Fri, Jun 11, 2021 at 9:42 AM César de Tassis Filho
wrote:
Google does not have access to your plain-text passwords in either case.
If they can display the plain text passwords to me on my screen in a
non-Google web browser then they have access
On Fri, Jun 11, 2021 at 10:27 AM Michael Thomas wrote:
> Isn't that what lots of password managers do? I understand that one of them
> syncs point to point, but that has the downside that it probably needs to be
> on the same subnet.
It's exactly what lots of password managers with browser
I think you have only found the tip of the iceberg of things that Chrome
and Google does without your express consent.
On Fri, Jun 11, 2021 at 9:48 AM William Herrin wrote:
> On Fri, Jun 11, 2021 at 9:38 AM Jan Schaumann via NANOG
> wrote:
> > William Herrin wrote:
> > > It turns out that
[sorry meant to send this to the list]
Isn't that what lots of password managers do? I understand that one of them
syncs point to point, but that has the downside that it probably needs to
be on the same subnet.
The actual problem here is that sites only allow a single password. if you
could
It appears that William Herrin said:
>On Fri, Jun 11, 2021 at 9:42 AM César de Tassis Filho
> wrote:
>> Google does not have access to your plain-text passwords in either case.
>
>If they can display the plain text passwords to me on my screen in a
>non-Google web browser then they have access to
On Fri, Jun 11, 2021 at 9:42 AM César de Tassis Filho
wrote:
> Google does not have access to your plain-text passwords in either case.
If they can display the plain text passwords to me on my screen in a
non-Google web browser then they have access to my plain text
passwords. Everything else is
On Fri, Jun 11, 2021 at 9:38 AM Jan Schaumann via NANOG wrote:
> William Herrin wrote:
> > It turns out that every password I allowed Chrome on Android to
> > remember, it uploaded to Google. In plain text!!
>
> Chrome does not store your passwords in plain text.
> It encrypts them locally, on
Google stores encrypted passwords. By default it uses your own Google
Account password as part of the key to decrypt your other synced passwords.
But you can change that and use a custom "sync passphrase".
Once you're logged in your device can decrypt your passwords and compare
them against
William Herrin wrote:
> It turns out that every password I allowed Chrome on Android to
> remember, it uploaded to Google. In plain text!!
Chrome does not store your passwords in plain text.
It encrypts them locally, on e.g. macOS using, I
think, a secret stored in the keychain under "Chrome
Hi,
I use Firefox and saved its profile inside a VeraCrypt disk, inside
a Bitlocked disk, inside a Surface3 used only for that purpose =D.
( Yeah that include a few physical MFA device and Shutdown instead
of Sleeping, and yadi yada )
So GL with Chrome =D.
-
Alain Hebert
Disable "auto sign-in" and "Save and fill addresses" and there's more for
payment methods, too.
Josh Luthman
24/7 Help Desk: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
On Fri, Jun 11, 2021 at 12:12 PM William Herrin wrote:
> On Fri, Jun 11, 2021 at 9:06 AM Josh
On Fri, Jun 11, 2021 at 9:16 AM Matthias Merkel
wrote:
> On mobile: Chrome Settings -> Sync -> Uncheck Sync All -> Uncheck Passwords
This works. Thank you.
Still, on by default? How many billions of passwords does google now
have stored with reversible encryption?
Regards,
Bill Herrin
--
On Fri, Jun 11, 2021 at 9:06 AM Josh Luthman
wrote:
> That's wrong, you CAN turn it off. I believe it's encrypted between Google
> and your Chrome browser, it says so but I haven't confirmed this myself.
Chrome can be configured to not remember passwords at all (makes a
browser pretty
That's wrong, you CAN turn it off. I believe it's encrypted between Google
and your Chrome browser, it says so but I haven't confirmed this myself.
Chrome Settings, Password, disable "Offer to save passwords"
Josh Luthman
24/7 Help Desk: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite
Howdy,
My gmail account prompted me today to change a compromised password.
It wasn't compromised; it was an offline system where I intentionally
used a generic password. But in the process...
It turns out that every password I allowed Chrome on Android to
remember, it uploaded to Google. In
41 matches
Mail list logo
