To me, the Google "download all synced Chrome/Android *plaintext* passwords as a CSV" feature represents a dangerous single point of failure, and your security policies ought to prevent syncing.
9
42
146
Conversation
I recommend at least checking out that file to see what Google has grabbed over the years, delete private passwords, and disable further syncing.
2
9
Replying to
I don't remember google ever grabbing a password - I have only ever seen it ask for permission each time, did it used to grab without permission?
1
No, you've always had to either sign in to the browser to enable sync or explicitly enable sync if it's set to reuse the web content sign in. Setting a sync passphrase (end-to-end encryption) requires going out of the way to enable it since if you lose that all sync data is lost.