On Sat, Jun 12, 2021 at 1:31 PM Christopher Morrow <morrowc.li...@gmail.com> wrote:
> > > On Sat, Jun 12, 2021 at 1:21 PM Tom Beecher <beec...@beecher.cc> wrote: > >> They >>> snuck it on me. >>> >> >> "I didn't notice this until now" != "They snuck one by the goalie." >> >> > actually, i was wondering while reading this thread... > (I mean this for clarity sake, not in a 'blame the victim' sort of way" > > "Did William think that password data, which had to be in plaintext to > auto-fill forms/etc, was > stored on the local device(s) only?" > > I suppose some scheme like: > 1) keep local copies in hashed/encrypted store > 2) upload said store to 'cloud' periodically (on change?) > 3) download on new device / clear-all-browser-data events > > If the hashed pile of data is 'simply' encrypted with 'gmail/google > account password' > (or that and some token from 'cloud') and decrypted in some form of > javascript functions... > > Then only the local browser really knows the content of the hash-file, > right? > NOTE: I have no idea how chrome does it's thing here... but I expect the > code is > visible on chromium.org ? Perhaps even here: > > https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/password_manager/ > > > would be a good place to go digging into the code / hows / whys / > where-fores ? > > The source.chromium site is neat, this query, for instance, finds where ' passwords.google.com' is in the code tree: https://source.chromium.org/search?q=passwords.google.com&sq=&ss=chromium%2Fchromium%2Fsrc:chrome%2Fbrowser%2Fpassword_manager%2F as a method to help track down the wherefores... > > >> >> >> On Sat, Jun 12, 2021 at 10:30 AM William Herrin <b...@herrin.us> wrote: >> >>> On Sat, Jun 12, 2021 at 5:11 AM K. Scott Helms <kscott.he...@gmail.com> >>> wrote: >>> > Encryption != plain text, just because it's not a hash doesn't mean >>> it's problematic (if done correctly). >>> >>> Scott, Google's computer is able to compose an html document which >>> contains my passwords in plain text. Whatever dance they do to either >>> side of that point in their process, at that point they possess my >>> passwords in plain text. Why is this concept a mystery to anyone? >>> >>> >>> > This is the exact same method that every single password management >>> system uses and all are far better for the average user than trying to >>> reuse a single password or write them down. >>> >>> If I had authorized it, it would indeed be just like any other >>> password managing web site. I did not knowingly authorize it. They >>> snuck it on me. >>> >>> Regards, >>> Bill Herrin >>> >>> >>> -- >>> William Herrin >>> b...@herrin.us >>> https://bill.herrin.us/ >>> >>
