Conversation

It feels like there is a deepening divide between power users and regular users. The latter for example don't want to get locked out of all their accounts because they listened to advice to use a password manager, and then lost their laptop. Which ones are we building for?

Quote Tweet

mjos\dwez

@mjos_crypto

May 17, 2021

To me, the Google "download all synced Chrome/Android *plaintext* passwords as a CSV" feature represents a dangerous single point of failure, and your security policies ought to prevent syncing.

Show this thread

Filippo Valsorda

@FiloSottile

May 17, 2021

Like, we were out here saying SMS 2FA is pointless because Chrome has a password manager just a few months ago. (Not that I agree with that.) How is the Chrome password manager viable if it's not synced? How do you make a synced password manager without a download method?

'); DROP Ţ̸͓̠̼͖̖̆ͫ̑̒̿ͪ͞A̐͏̠̫͔̰̖ͅͅB̉͌͒̈LE name; --

@fardarter

May 17, 2021

Replying to

@FiloSottile

It doesn't have to be plaintext though.

Replying to

What else can it be? Someone who gets to that download already knows the account and sync passwords. Encrypting with it is as good as base64.

João Santos - @jmcs@social.tchncs.de

Replying to

and

It can have a master password. I think Firefox encrypts the passwords locally, if one is set (don't quote me on it though).

Replying to

and

Chrome already supports end-to-end encryption via a sync passphrase. Sync also isn't enabled by default. The default is that when you're logged in Google via web content, the browser shows you that you can use enable sync. Can turn it off to stop showing the option to use sync.

11:22 AM · May 17, 2021Twitter Web App