[nadahalli]

It's possible that I want my passwords (of other sites) synced on all instances of Chrome across my devices, but I don't want Google to know these passwords (obviously). They have an "encrypt-passwords" feature for that.

https://support.google.com/chrome/answer/165139

Perhaps you have never visited passwords.google.com :-)

[msiyer]

The link says:

> Passphrases are optional. Your synced data is always protected by encryption when it's in transit.

Data is protected when in transit and passphrase is optional. How is this a good feature?

[exatto]

The difference is whether or not Google can see your passwords.

When you use a passphrase, your data will presumably be encrypted with your passphrase and thus only be visible to you with knowledge of the passphrase. Not even Google could see the data while it would be stored on their servers.

Encryption during transit means that no bad actors like hackers, unscrupulous ISP's or overzealous governments can access your data _while_ it travels over the wires towards Google's servers but Google can still do what it wants with your data.

[Lio]

My question is why is that not on by default? Why would it ever be acceptable for Google to have unencrypted copies of your bank password for example?

[rincebrain]

I would assume it's the standard tradeoff - if you lose the key to the password DB (be it an actual cryptographic key or a password you synthesize it from), you lose access to the data, and some people are more interested in guaranteeing access to their data over avoiding storing it with an external entity.

(I work for Google but on nothing remotely related to this.)