8

It seems Google activated central place for storing app/website passwords which is accessible at https://passwords.google.com/ and all the remembered Chrome passwords are synched there.

In what format (encryption type) or how all the passwords are stored, how it's protected from hackers and how safe/risky is to keep them there? Are they accessible by Google sys admins?

kenorb
  • 809
  • 4
  • 9
  • 27
  • 4
    This is a question for Google. The service is called Smart Lock and details are here: http://get.google.com/smartlock/ – schroeder Aug 05 '15 at 20:22

1 Answers1

8

Based on the information which I've found on-line so far, the following statements are true:

  • Passwords are always encrypted source.
  • Chrome uses your Google Account to encrypt your synced passwords source.
  • Whether or not you use a passphrase, your synced data is protected by encryption in transit.
  • Your Chrome sync passphrase is stored on your computer and will never be sent to Google.

You can decide to encrypt all synced password with a separate sync passphrase instead. If so, you can use Google's cloud to store and sync your data without letting Google read it.


Related:

kenorb
  • 809
  • 4
  • 9
  • 27
  • 6
    although what you are saying is probably correct, your conclusion doesn't really hold; if you are worried about Google reading your password, then you should not assume that Google does what it says it does. I'm not saying you shouldn't trust Google, I'm just saying that if your attacker model includes Google, you should also assume their software is written by your attacker (or at least that it may not do what you expect it to). – Rens van der Heijden Aug 05 '15 at 21:34
  • 1
    Worth mentioning for Android, Smart Lock is only activated when you have an Android Wear watch nearby which acts as the key. So if your phone is stolen, they should not have easy access to your accounts assuming you don't have passwords or sessions remembered elsewhere on the phone. – Dennis Feb 07 '17 at 13:14