¿Pueden los empleados de Google ver mis contraseñas de Google Chrome guardadas?

Tabla de contenido:

Video: ¿Pueden los empleados de Google ver mis contraseñas de Google Chrome guardadas?

Video: ¿Pueden los empleados de Google ver mis contraseñas de Google Chrome guardadas?
Video: EXPLICACIÓN de AJUSTES GRÁFICOS y AUMENTAR los FPS en JUEGOS 2024, Marcha
¿Pueden los empleados de Google ver mis contraseñas de Google Chrome guardadas?
¿Pueden los empleados de Google ver mis contraseñas de Google Chrome guardadas?
Anonim
Almacenar sus contraseñas en su navegador web parece ser un gran ahorro de tiempo, pero ¿son las contraseñas seguras e inaccesibles para los demás (incluso los empleados de la compañía de navegadores) cuando se guardan?
Almacenar sus contraseñas en su navegador web parece ser un gran ahorro de tiempo, pero ¿son las contraseñas seguras e inaccesibles para los demás (incluso los empleados de la compañía de navegadores) cuando se guardan?

La sesión de Preguntas y Respuestas de hoy nos llega por cortesía de SuperUser, una subdivisión de Stack Exchange, un grupo de sitios web de preguntas y respuestas impulsado por la comunidad.

La pregunta

SuperUser reader MMA es curioso si los empleados de Google tienen (o podrían tener) acceso a las contraseñas que almacena en Google Chrome:

I understand that we are really tempted to save our passwords in Google Chrome. The likely benefit is two fold,

  • You don’t need to (memorize and) input those long and cryptic passwords.
  • These are available wherever you are once you log in to your Google account.

The last point sparked my doubt. Since the password is available anywhere, the storage must in some central location, and this should be at Google.

Now, my simple question is, can a Google employee see my passwords?

Searching over the Internet revealed several articles/messages.

  • Do you save passwords in Chrome? Maybe you should reconsider: Talks about your passwords being stolen by someone who has access to your computer account. Nothing mentioned about the central storage security and vulnerability. There is even a response from Chrome browser security tech lead about the first issue.
  • Chrome’s insane password security strategy: Mostly along the same line. You can steal password from somebody if you have access to the computer account.
  • How to Steal Passwords Saved in Google Chrome in 5 Simple Steps: Teaches you how to actually perform the act mentioned in the previous two when you have access to somebody else’s account.

There are many more (including this one at this site), mostly along the same line, points, counter-points, huge debates. I refrain from mentioning them here, simply carry a search if you want to find them.

Coming back to my original query, can a Google employee see my password? Since I can view the password using a simple button, definitely they can be unhashed (decrypted) even if encrypted. This is very different from the passwords saved in Unix-like OS’s where the saved password can never be seen in plain text.

They use a one-way encryption algorithm to encrypt your passwords. This encrypted password is then stored in the passwd or shadow file. When you attempt to login, the password you type in is encrypted again and compared with the entry in the file that stores your passwords. If they match, it must be the same password, and you are allowed access. Thus, a superuser can change my password, can block my account, but he can never see my password.

Entonces, ¿están sus preocupaciones bien fundadas o una pequeña idea disipará su preocupación?

La respuesta

Zeel, colaborador del superusuario, lo ayuda a tranquilizarse:

Short answer: No*

Passwords stored on your local machine can be decrypted by Chrome, as long as your OS user account is logged in. And then you can view those in plain text. At first this seems horrible, but how did you think auto-fill worked? When that password field gets filled in, Chrome must insert the real password into the HTML form element – or else the page wouldn’t work right, and you could not submit the form. And if the connection to the website is not over HTTPS, the plain text is then sent over the internet. In other words, if chrome can’t get the plain text passwords, then they are totally useless. A one way hash is no good, because we need to use them.

Now the passwords are in fact encrypted, the only way to get them back to plain text is to have the decryption key. That key is your Google password, or a secondary key you can set up. When you sign into Chrome and sync the Google servers will transmit the encrypted passwords, settings, bookmarks, auto-fill, etc, to your local machine. Here Chrome will decrypt the information and be able to use it.

On Google’s end all that info is stored in its encrpyted state, and they do not have the key to decrypt it. Your account password is checked against a hash to log in to Google, and even if you let chrome remember it, that encrypted version is hidden in the same bundle as the other passwords, impossible to access. So an employee could probably grab a dump of the encrypted data, but it wouldn’t do them any good, since they would have no way to use it.*

So no, Google employees can not** access your passwords, since they are encrypted on their servers.

* However, do not forget that any system that can be accessed by an authorized user can be accessed by an unauthorized user. Some systems are easier to break than other, but none are fail-proof… That being said, I think I will trust Google and the millions they spend on security systems, over any other password storage solution. And heck, I’m a wimpy nerd, it would be easier to beat the passwords out of me than break Google’s encryption.

** I am also assuming that there isn’t a person who just happens to work for Google gaining access to your local machine. In that case you are screwed, but employment at Google isn’t actually a factor any more. Moral: Hit Win + L before leaving machine.

Si bien estamos de acuerdo con Zeel en que es una apuesta bastante segura (siempre que su computadora no esté comprometida) que sus contraseñas sean seguras mientras están almacenadas en Chrome, preferimos cifrar todos nuestros nombres de usuario y contraseñas en una bóveda de LastPass.

¿Tienes algo que añadir a la explicación? Apague el sonido en los comentarios. ¿Quieres leer más respuestas de otros usuarios de Stack Exchange con experiencia en tecnología? Echa un vistazo a la discusión completa aquí.

Recomendado: