[dancek]

You could say I put a lot of trust in Google, as I use the built-in password manager in Chrome. My rationale is the following:

1. My browser vendor can access my browser passwords anyway.

2. It's better to trust fewer vendors and pieces of software.

3. Copying passwords to clipboard is awfully insecure.

4. Trying to remember all passwords is also awfully insecure.

I do not save any money-related passwords. I do dream of switching to pass from time to time.

[pinusc]

1. Is not necessarily true. If you use an open source browser like firefox, your browser vendor would absolutely not be able to access your passwords (...without creating a huge scandal where users would catch up immediately)

3. Can actually be mitigated, or other options can be used. For example, in my browser I disabled JavaScript clipboard access, so that random websites can't access my passwords. You mention pass, aan excellent non cloud option, which I personally use with a script that types in the password as if it was a keyboard - but Firefox and chrome plugins with autofill are available, and those are offline.

[bagacrap]

Your browser sends and receives tons of packets to addresses owned by the browser vendor and third party sites. After all that's its main function. Your open source browser is millions of lines of code. You think it would not be possible to exfiltrate passwords without your notice? It seems a much more practical approach to assume your browser vendor is a "good guy", as the alternative model is that you choose to do all your most sensitive computing via an adversary.

[benburleson]

I think the premise is we would know if it already did that, and incremental code changes can be inspected to see it isn't added. So yeah, it's pretty safe to say open source makes it trustable.

[dancek]

That's pretty reasonable, but if I were a malicious actor looking to do something like this, I'd try to introduce different bugs at different times that combine to leak passwords. That would give plausible deniability, too. Not saying it's an easy scheme to engineer.

[UncleMeat]

People inspect chrome diffs for weird changes too. Closed source software does not prevent people from noticing malware, especially in some of the most heavily scrutinized software in the world.

[dancek]

Regarding point 3, my point really is that just a command-line program is not enough. I need a browser plugin or a keyboard emulator. That's one more piece of software, possibly from another vendor (see point 2). But yes, you're right, using the clipboard is not required for any reasonable password manager. It just might be an easier way sometimes.

Also it's quite difficult to keep up with all the apps on my system and all of them can follow the clipboard. I didn't even consider random websites.

[rebelrexx858]

1. Is most certainly true. Everything you type needs to be entered, and your browser probably has undo/repeat, which means a stack of your text is available too, it's still an application at the end of the day

[joelx]

I agree completely with your logic, especially that a password vendor can see passwords anyways. Introducing fewer parties reduces points of failure.

I save all money related passwords... Much safer than my faulty memory or having them listed in a doc somewhere.

[dancek]

I have to reset approximately one money related password every two years. Usually it takes a trip to a bank and might cost five euros. I think that's not unreasonable, but I'd love a system I could trust with everything I own.

[FreeHugs]

    3. Copying passwords to clipboard is awfully insecure.

Not that I am aware of. What would make it insecure?

[ceejayoz]

If you log in to AWS, then visit another site, your password is still on the clipboard. 1Password clears it out after ~30 seconds, IIRC, but it's still a bit of a risk.

[dancek]

All processes running on your computer can read the clipboard at any time. Many have plugin systems that expose clipboard contents to plugins.

Normally when you use a password manager you have to trust the password manager, the browser and the OS. By copying to clipboard you have to trust every piece of software you ever installed and every update they later got.

[gruez]

>I do not save any money-related passwords. I do dream of switching to pass from time to time.

So you remember unique, high entropy passwords for all your money related sites? If not, you might be putting yourself at greater risk than syncing the passwords.

[dancek]

I don't have that many and the ones I use tend to enforce password type (say, a 4-number PIN as part of MFA).

But yes, I do remember a bunch of important unique passwords, and I do have to reset them occasionally by physically visiting and showing my id.

[cameronbrown]

Obligatory https://xkcd.com/936/

[the_arun]

So true!

[19ylram49]

That’s an interesting perspective. I wouldn’t do it, but interesting nonetheless

[drcross]

Please read the following if you use chrome password manager on your phone:

https://www.reddit.com/r/Bitcoin/comments/cxtfak/coinomi_wal...

TL;DR; Someone in google is sniffing autocorrect text and when they find 12 word bitcoin seed phrases they are stealing the bitcoin. This is a serious breach of trust. If someone from Google is reading this please take it seriously.

EDIT: On further research it may not categorically be someone in google if the autocorrect text is sent in plain text. Autocorrect text should not be sent in the clear though. See here for more information: https://avoid-coinomi.com

[arkem]

It looks like autocorrect wasn't sent in the clear at least according to one report.

This[1] report on this incident (commissioned by the wallet creators) makes me skeptical that autocorrect or Google was involved at all. I think some sort of malware or phishing to steal the seed was a much more likely attack.

[1] https://medium.com/@cipherblade/how-not-to-react-when-your-c...

[dancek]

I'm not sure if I believe that, but I'd never trust anyone with bitcoin seeds. I'm not sure what the risk is for passwords I'd type in my browser anyway and that I could reset with my Gmail account.