@alxd Seems fishy. They might be hashing them and then sending that hash off somewhere?
Not a good idea regardless.
@alxd I got this too, had the same thought... but it’s their cloud password manager, they have to have them available as plaintext one way or another, no?
@tynanpants if they want to make them readable in the web interface, yes. If they would be decrypted only on client, it'd be a different story.
@alxd Oh gosh, I hadn't even thought about sending the passwords over the wire. Wonder how they do it. Seems important! Haha
@alxd I think it keeps track of your e-mail addresses, those usually accompany the leaked passwords.
@deshipu Yes, but Google Password Manager can show you all your remembered passwords in plaintext. Even if Google stores them encrypted at rest, they have ways of decrypting it on their side :/
@deshipu store as in Chrome, not on their servers. I haven't used that feature for over 8 years, but I assumed they'll just have an encrypted blob they'll send to my Chrome when they sync.
That's what I was wondering. Luckily when I stopped using Google's password management, I also changed all my passwords 😁
Either that, or they obtained the list of exposed passwords, hashed them with whatever hashing method they use, then compare hashes against the ones that you've got saved.
A match=Compromised password.
That's how I'd do it if I were trying to protect my users without infringing on their privacy.
@GigaByte4711 Yeah, but Google Password Manager can show you your decrypted passwords online, even if they didn't leak. Google can decrypt them on their own server, that's the problem.
"So it's best to assume whatever you hand to such a service is not controlled by you anymore."
I'm not sure how google hashes/encrypts those passwords, but obviously its not a one-way method. I reckon there's a chance that they use your google password (or another auth token) to encrypt your plaintext password, allowing you to decrypt it.
Again, we don't know, so we can't be sure.
@alxd It needs to be able to retrieve the original form of the passwords somehow. How would it otherwise be able to send it to websites that expect it? That's the modus operandi of all password managers, Google or not, encrypted or not.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!