Google uploading your plain text passwords

Howdy,

My gmail account prompted me today to change a compromised password.
It wasn't compromised; it was an offline system where I intentionally
used a generic password. But in the process...

It turns out that every password I allowed Chrome on Android to
remember, it uploaded to Google. In plain text!! And it could prove it
by displaying the plain text passwords for me on my laptop. And I
can't turn the upload off!

To the google folks on here: Are you INSANE!?

Regards,
Bill Herrin

That’s wrong, you CAN turn it off. I believe it’s encrypted between Google and your Chrome browser, it says so but I haven’t confirmed this myself.

Chrome Settings, Password, disable “Offer to save passwords”

Josh Luthman
24/7 Help Desk: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

Chrome can be configured to not remember passwords at all (makes a
browser pretty useless), but it won't keep them only on the local
device. If allowed to remember passwords, it uploads them to Google.
No knob to turn sync off.

-Bill

This works. Thank you.

Still, on by default? How many billions of passwords does google now
have stored with reversible encryption?

Regards,
Bill Herrin

Disable “auto sign-in” and “Save and fill addresses” and there’s more for payment methods, too.

Hi,

I use Firefox and saved its profile inside a VeraCrypt disk, inside a Bitlocked disk, inside a Surface3 used only for that purpose =D.
( Yeah that include a few physical MFA device and Shutdown instead of Sleeping, and yadi yada )

So GL with Chrome =D.

Chrome does not store your passwords in plain text.
It encrypts them locally, on e.g. macOS using, I
think, a secret stored in the keychain under "Chrome
Safe Storage", on Windows using a similar API and
secret probably unlocked via your login credentials.

If you use your favorite internet search engine to
look for "how does Chrome store passwords", you'll
find the local sqlite file and more detailed
explanations.

-Jan

Google stores encrypted passwords. By default it uses your own Google Account password as part of the key to decrypt your other synced passwords. But you can change that and use a custom “sync passphrase”.

Once you’re logged in your device can decrypt your passwords and compare them against databases of known compromised passwords.

Google does not have access to your plain-text passwords in either case.

More info:
https://support.google.com/accounts/answer/6208650
https://security.googleblog.com/2020/10/new-password-protections-and-more-in.html

Regards,
CĂ©sar

Hi Jan,

I'm fine with Chrome encrypting them locally. That's what I want it to
do. I'm not at all fine with it uploading them to my Google account. I
don't want any trace of my non-google passwords present in my google
account. I'm very very not fine that it happened behind my back
without my express consent.

Regards,
Bill Herrin

If they can display the plain text passwords to me on my screen in a
non-Google web browser then they have access to my plain text
passwords. Everything else is semantics.

Regards,
Bill Herrin

It appears that William Herrin <bill@herrin.us> said:

[sorry meant to send this to the list]

Isn’t that what lots of password managers do? I understand that one of them syncs point to point, but that has the downside that it probably needs to be on the same subnet.

The actual problem here is that sites only allow a single password. if you could enroll more than one password you wouldn’t need to sync at all. Better: use asymmetric keys and enroll public keys so the secret never leaves your device.

Mike

I think you have only found the tip of the iceberg of things that Chrome and Google does without your express consent.

It's exactly what lots of password managers with browser extensions
do. I don't personally use them because I don't want my passwords
reversibly stored on a computer that I don't directly control. I have
no great philosophical problem with their existence and use by those
who want them, I just don't want them for myself.

My problem was suddenly finding Google in possession of passwords I
never intentionally allowed it to have. This sneak around behind my
back stuff means I wasn't in control of my passwords.

Regards,
Bill Herrin

Untrue. If you have a key on your computer, such as was mentioned that
  the Google key may be stored locally in the MacOS Keychain, and you unlock
  your MacOS Keychain with your local laptop login password, which is also
  stored on an encrypted disk volume, that does not mean those passwords
  have left your computer in plain text, or that Google has this key that
  lives in your keychain.

  I agree, if they do, that's terrible. But I haven't seen any evidence that
  they do.

  You can have multiple keys to encrypted data, and it is still stored in a
  cryptographically secure way, assuming it is implemented well, despite
  those multiple keys having the ability to decrypt your data.

  I use 1Password. There are multiple keys that can unlock the other key
  that can unlock my encrypted data. But just because I can see my passwords
  in the app, and that there is a mechanism/code that can do the same
  without the 1Password app to unlock and view my data, this does not mean
  that 1Password has my keys, nor access to all my passwords.

Beckman

However, if the password is entered on one device (Android device, for example,
as mentioned in the original post), and then is visible in clear-text on a different
browser on a different device (laptop, for example, again, from the original post),
then clearly the password has left the original device in a form which is reversible
to the original clear text. You can argue that it may be stored “in the cloud” in
encrypted form; but it’s clearly being stored in a manner which can be reversed
to gain access to the original clear text, and using a key which is known to both
devices involved, and to the cloud system validating that authentication.

This isn’t about seeing the passwords in clear text on the same device
upon which they were entered; this is about a separate device having
visible access to the clear text of a password that was not entered via
that device.

If the laptop had required Bill to enter a decryption key first in order to
see the clear text, and that decryption key was one he had manually
configured on both devices, stored only locally on each device, then
you might be able to argue that the cloud never has visibility into the

passwords; but if the keys are encrypted using a gmail login credential,
which is itself stored and verified within the same cloud environment as
the encrypted password strings it is protecting, then your two factor
security has collapsed back down into a single point of compromise;
compromise the google password, and you have access to all the
passwords that were uploaded and stored in the system unbeknownst
to the user.

That’s the part that would leave me concerned.
Having my email password compromised?
That’s a bit of a “meh” moment.
Suddenly discovering that one password now gave access to
potentially all my financial accounts as well?
That’s a wake up in the night with cold sweats moment. :frowning:

Matt

Google uses your Google Account’s password to encrypt passwords synced to the cloud. That is why passwords saved on Android and synced to the cloud can be read elsewhere (including passwords.google.com).

As I mentioned before, if you want to avoid this behavior Google offers you a way to use a different sync passphrase (which inhibits access to passwords.google.com and also disables other features). Instructions here: https://support.google.com/chrome/answer/165139#passphrase

CĂ©sar

Well, browser extensions in and of themselves scare the living hell out of me. It really surprises me that they aren’t a major attack vector and in the news all of the time.

But yes, I agree that even encrypted they are a very tempting target for hackers, and especially foreign governments. A breach would mean that everybody is instantly screwed since they don’t have to break into individual computers, install malware, etc.

Mike

Hi CĂ©sar ,

This would be fine had I intended this behavior. That it magically
happened because I told my phone it could sync my gmail is very very
disturbing.

Regards,
Bill Herrin

Howdy,

My gmail account prompted me today to change a compromised password.
It wasn’t compromised; it was an offline system where I intentionally
used a generic password. But in the process…

It turns out that every password I allowed Chrome on Android to
remember, it uploaded to Google. In plain text!! And it could prove it
by displaying the plain text passwords for me on my laptop. And I
can’t turn the upload off!

To the google folks on here: Are you INSANE!?

Regards,
Bill Herrin