34
4
I understand that we are really tempted to save our passwords in Google Chrome. The likely benefit is two fold,
- You don't need to (memorize and) input those long and cryptic passwords.
- These are available where ever you are once you log in to your Google account.
The last point sparked my doubt. Since the password is available anywhere, the storage must in some central location, and this should be at Google.
Now, my simple question is, can a Google employee see my passwords?
Searching over the Internet revealed several articles/messages.
- Do you save passwords in Chrome? Maybe you should reconsider: Talks about your passwords being stolen by someone who has access to your computer account. Nothing mentioned about the central storage security and vulnerability. There is even a response from Chrome browser security tech lead about the first issue.
- Chrome’s insane password security strategy: Mostly along the same line. You can steal password from somebody if you have access to the computer account.
- How to Steal Passwords Saved in Google Chrome in 5 Simple Steps: Teaches you how to actually perform the act mentioned in the previous two when you have access to somebody else's account.
There are many more (including this one at this site), mostly along the same line, points, counter-points, huge debates. I refrain from mentioning them here, simply carry a search if you want to find them.
Coming back to my original query, can a Google employee see my password? Since I can view the password using a simple button, definitely they can be unhashed (decrypted) even if encrypted. This is very different from the passwords saved in Unix-like OS's where the saved password can never be seen in plain text.
They use a one-way encryption algorithm to encrypt your passwords. This encrypted password is then stored in the passwd or shadow file. When you attempt to login, the password you type in is encrypted again and compared with the entry in the file that stores your passwords. If they match, it must be the same password, and you are allowed access. Thus, a superuser can change my password, can block my account, but he can never see my password.
6You can't ““unhash”” a string. Cryptographic hash functions are one-way they are designed to be infeasible (i.e., taking so long to do that by the time you get it done, it won't matter anymore) to reverse. The *nix ““one-way encryption algorithm”” IS a hash function. – Blacklight Shining – 2013-10-07T14:07:45.710
Thanks, somehow I got carried away. I wanted to mean decrypt. – Masroor – 2013-10-07T14:39:10.603
As long as those passwords are not used for WiFi on Android too, you should be save. I've to say this, as Google knows your WiFi passes used on Android. – math – 2013-10-09T13:35:37.443
@math Would you like to elaborate that a bit? Somehow failed to comprehend fully. – Masroor – 2013-10-09T13:37:47.140
There are many news sites dealing with this topic, just use a search machine with: "Wifi passwords google android" done. E.g. http://gizmodo.com/google-knows-the-wi-fi-passwords-of-all-android-users-1324036508
– math – 2013-10-09T14:24:01.930