Google knows all the things!
Published September 14th, 2013 under General
Since writing this post, I believe Chrome has implemented a system to cater for this by encrypting your data via your Google login credentials.
This is somewhat of a community security notice, but also a request for a sanity check. If I have misunderstood how the data storage works, please let me know so that I can correct this post 😀
I’ve been ranting for a while now that using (some) password backup systems is not the best idea, but my ranting however has fallen on deaf ears. You know that thing in Android and Chrome that “safely backs up” your passwords and other private data? Ever wondered what happens to that data when it is “backed up”?
You may have been thinking that the data is encrypted and can only be decrypted by you. But then you need to ask the question “what is the decryption key?”. You can’t encryption something without a decryption key to get the data back out (except for hashes, but that’s somewhat different). Presumably the data you submit is encrypted, but how?
Many responses to this question have been “they’ll be using a device specific encryption keys”, but that can’t be the case here, since you can transfer your passwords to a new device should you lose the first one. The other option would be using your main password as the key, but in the case of Google, that would just be your Google password. But if your Google password is being used as a decryption key, and Google knows your password (or can learn it by forcing you to reauthenticate), then your passwords may as well be stored in plain text.
Google and the NSA know all the things!
The implication here is that both Google and the NSA can know all of your passwords. That may include bank passwords, email passwords, Facebook passwords, basically anything and everything that you don’t want other people finding out. To me, this is scary. For this reason I have never used the automatic password backup systems in Chrome or Android.
I don’t own any iOS devices, but iOS expert Thomas Hedderwick has informed me that the Apple iCloud service likely suffers from a similar problem. You can apparently turn that off, which I recommend you do.
Solution? Firefox to the rescue!
When I posted this initially, I recommended the password service LastPass. This is still adequate advice IMO, particularly if you are partial to Google Chrome, but Blair McBride from Mozilla kindly pointed out that Firefox uses end-to-end encryption on it’s Firefox sync service. I was intrigued by how this would work, and sure enough, when I tried to sync my passwords via Firefox, it immediately asked me to create a new login for that service. Presumably those login details are used by Firefox as the decryption key, but since they are specific to the browser, they never need to actually leave the browser, hence can be used securely. Mozilla will never know the decryption key, only Firefox the browser. This is a perfect solution to the problem and is exactly how Google should be solving this issue.
I lied a little bit …
I do actually use the built in password backup system in both Chrome. But I use it for unimportant stuff. Things I don’t mind if the NSA or some chump at Google finds out. But I do not and will not store anything important in there, as I don’t think that is a good idea in the slightest. I really don’t care if some NSA punk really wants to log in as me at WPTavern.com, but I would be grumpy if they could log in as me at Facebook.com. I even store my WiFi passwords in my Android phone, but my banking and some other password information aint going anywhere near Google if I can help it.
Sooo … if you want your passwords kept secret, use a proper password service like LastPass or change to a browser like Firefox with proper end to end encryption. Don’t trust the half-baked system built into Chrome, Android, iOS and probably many other systems.