Conversation

Filippo Valsorda
@FiloSottile
It feels like there is a deepening divide between power users and regular users. The latter for example don't want to get locked out of all their accounts because they listened to advice to use a password manager, and then lost their laptop. Which ones are we building for?
Quote Tweet
mjos\dwez
@mjos_crypto
To me, the Google "download all synced Chrome/Android *plaintext* passwords as a CSV" feature represents a dangerous single point of failure, and your security policies ought to prevent syncing.
Show this thread
Image
8
92
Filippo Valsorda
@FiloSottile
Like, we were out here saying SMS 2FA is pointless because Chrome has a password manager just a few months ago. (Not that I agree with that.) How is the Chrome password manager viable if it's not synced? How do you make a synced password manager without a download method?
4
28
Daniel Micay
@DanielMicay
Replying to
@fardarter
and
@FiloSottile
It supports end-to-end encryption via a sync passphrase. There's no download option from the site if you've enabled a sync passphrase since it couldn't be provided without client-side cryptography in the browser which doesn't really make sense for this.
1
1
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
@fardarter
and
@FiloSottile
Sync isn't enabled by default and you can happily set a sync passphrase before actually using the browser for anything after enabling sync. It's really not clear what the problem is with how it works. You have to explicitly turn this on and power users can set a sync passphrase.
1
1
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
@fardarter
and
@FiloSottile
It seems like people have a problem with the fact that when you're signed into the account, you can download the passwords via a web UI. You could also simply install a browser or a tool for downloading them and do the same thing. Not providing a web UI doesn't improve anything.
1
1