

Ask HN: Are my saved passwords safe in Google chrome? - aps-sids

Can google or someone else retrieve them remotely?
======
itsprofitbaron
When you save your password in Chrome, they are stored on your local machine
and are decrypted once your OS user is logged in. This is why you can view the
passwords in plain text although, the main reason is because in order to use
auto-fill, Chrome needs to enter the plain text password into the HTML form.

The passwords themselves however are encrypted, and the only way to get them
back to plain text is through the decryption key – which is your Google
password/secondary key. When you sign into Chrome (and sync to the Google
servers) your encrypted password is transmitted along with the settings,
bookmarks etc. As a result, Google only has the information stored in an
encrypted state and do not have the key to decrypt it.

The only way your passwords are not safe is if, your machine becomes
compromised.

~~~
aps-sids
Okay. But is it possible for some malicious addon/website to get this
information?

Also, what happens if google decides to spy on someone? Basically, is it
possible that chrome sends some data to google servers even without user
signing in for sync?

~~~
atesti
If something malicious gets onto your computer, it's game over anyway! Any
malware (chrome extensions, software running on the computer, even not as
administrator) can start to listen to all keyboard events, all virtual
keyboards like they are used in Korea mandated by government for security, all
network traffic (even encrypted by hooking the APIs, etc.

So once the malware is on your computer, it can get all passwords entered
afterwards.

The only harm in saving passwords in Chrome is that the malware can get all
passwords at once and does not have to wait for you to login to all important
pages eventually.

If the computer is stolen and not given back compromised, then it is safe,
because Chrome encrypts the passwords using the Windows password API which
encrypts it using the user password

------
drill_sarge
If you are worried about this, just save your passwords outside your browser
with a password safe like KeePass. Of course this doesn't protect you if your
whole system gets compromised. And if you are worried about Google spying, why
you use Chrome anyway?

------
ghuntley
I would be more worried about locally, case in point navigate to:
chrome://settings/passwords

