Conversation

Filippo Valsorda
@FiloSottile
It feels like there is a deepening divide between power users and regular users. The latter for example don't want to get locked out of all their accounts because they listened to advice to use a password manager, and then lost their laptop. Which ones are we building for?
Quote Tweet
mjos\dwez
@mjos_crypto
To me, the Google "download all synced Chrome/Android *plaintext* passwords as a CSV" feature represents a dangerous single point of failure, and your security policies ought to prevent syncing.
Show this thread
Image
8
92
Filippo Valsorda
@FiloSottile
Like, we were out here saying SMS 2FA is pointless because Chrome has a password manager just a few months ago. (Not that I agree with that.) How is the Chrome password manager viable if it's not synced? How do you make a synced password manager without a download method?
4
28
Daniel Micay
@DanielMicay
Replying to
@fardarter
and
@FiloSottile
It supports end-to-end encryption via a sync passphrase. There's no download option from the site if you've enabled a sync passphrase since it couldn't be provided without client-side cryptography in the browser which doesn't really make sense for this.
1
1
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
@fardarter
and
@FiloSottile
It seems like people have a problem with the fact that when you're signed into the account, you can download the passwords via a web UI. You could also simply install a browser or a tool for downloading them and do the same thing. Not providing a web UI doesn't improve anything.
1
1
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
@fardarter
and
@FiloSottile
A bit like how certain applications play the game of encrypting data with a key that's always available locally in order to say that the data isn't in plain text, but yet the key is right there in plain text. It's just obfuscation and isn't actually useful in any real way.