How does Google know all my passwords?

[Ian J]

I rarely log in to my Google account but I did this morning and Google enquired whether I wanted a password check so I clicked on "yes"

It checked my 55 saved passwords and said that I had 7 compromised passwords, 53 re-used passwords and 51 accounts using a weak password and listed all of the websites that had one or more of the above problems

How the hell does Google know all of my passwords as I thought that they were supposed to be encrypted and should I be concerned?

There are three sites with my wife's email address on where I assume that she used my computer to access and worryingly Google's list contains an icon by each to display the password

 

[Mr D]

Is google storing your passwords? Or your computer and you have given google access?

Its a good idea to practice password security and change them often. Much harder for someone to do something with a password you give out if its no longer used by you.

 

[UKSBD]

https://support.google.com/chrome/answer/95606

 

[TotalWebSolutions]

Are you using Chrome as your web browser? If so you'll have checked to save the passwords for each website at some point (an easy click when registering or logging in).

 

[Ian J]

Are you using Chrome as your web browser? If so you'll have checked to save the passwords for each website at some point (an easy click when registering or logging in).

No. I have used Internet Explorer for many years and have recently moved to Edge.

I do click the "save password" box on most sites but expected the browser to save them and not Google

 

[UKSBD]

No. I have used Internet Explorer for many years and have recently moved to Edge.

I do click the "save password" box on most sites but expected the browser to save them and not Google

Probably from a mobile or tablet that was signed in to your Google account (possibly without you even knowing it)

 

[gpietersz]

I think the most likely explanation is sync from a mobile device. If you are syncing across devices you might want to consider Firefox with a master password set up which will encrypt the stored passwords so only your devices can decrypt them.

There are three sites with my wife's email address on where I assume that she used my computer to access and worryingly Google's list contains an icon by each to display the password

If you share a computer, even occasionally, use separate logins or have a guest login for other users to share. Some OSes have guest logins that are cleaned up (all data reset) on logout.

 

[fisicx]

Google knows and remembers your history. It knows and remembers what you have typed.

And because Edge now uses Chromium it means Google now has access to your Edge data.

This is why I block everything and never use Chrome.

 

[gpietersz]

@fisicx not sure about that, depends what MS has done with it. If they enable tracking of that sort I would expect them to send the info to them, not Google. They seem to have disabled/removed a lot of stuff: https://imgur.com/a/ixbEqfT

A number of browsers designed for privacy are Chromium based too - SRWare Iron and Brave for a start. Chromium itself (the pure open source version, which I use as well as Firefox) does not send browsing information to Google. Good discussion of Chromium here https://www.reddit.com/r/privacy/comments/34tc2f/how_safe_is_chromium_privacy_wise/

 

[The Byre]

Passwords - don't save them! CALCULATE THEM!

It's easier than you think. Use a key to multiply a number based on the first few letters of the site you are visiting and mix it with variable numbers that you can and are bound to remember.

My passwords are usually about 20 letters and numbers long that appear random and jumbled up and I neither remember them nor do I write them down anywhere.

 

[KAC]

Passwords - don't save them! CALCULATE THEM!

It's easier than you think. Use a key to multiply a number based on the first few letters of the site you are visiting and mix it with variable numbers that you can and are bound to remember.

My passwords are usually about 20 letters and numbers long that appear random and jumbled up and I neither remember them nor do I write them down anywhere.

Sounds an interesting option.

Can you give an example as to how it works? Not a real one of course

 

[Mr D]

Passwords - don't save them! CALCULATE THEM!

It's easier than you think. Use a key to multiply a number based on the first few letters of the site you are visiting and mix it with variable numbers that you can and are bound to remember.

My passwords are usually about 20 letters and numbers long that appear random and jumbled up and I neither remember them nor do I write them down anywhere.

Someone suggested a while back that people use say the last 10 digits of pi as a password.
After all, who will bother to work it out before the undertakers arrive?

 

[gpietersz]

Passwords - don't save them! CALCULATE THEM!

There is software (both browser extensions and free standing) that will do it for you.

 

[KAC]

There is software (both browser extensions and free standing) that will do it for you.

... but do I / should I trust them?

 

[The Byre]

... but do I / should I trust them?

No!

 

[KAC]

No!

Exactly why I don't use them

 

[Nico Albrecht]

As a side note from a forensic point:

I can extract passwords entered by the user on various login screens using a Web browser. However, there are some restrictions:

• The analysis works for Firefox, Chrome, Edge and Opera only. Safari and Internet Explorer are not really possible at the moment
• If a user did not select to store their passwords, there is no way to extract them using browser analysis
• For Opera, it is not possible to determine which of the saved fields was a login and which was a password, so I would need to guess, and I may guess incorrectly. The reason for that is that Opera stores its passwords in the random order and uses the site contents to determine what stored value should go to what field

 

[SesO]

Hi,

Are you asking your computer to store them so that it is easier for you to login next time you go online on your computer?

Also, its better to have a different passwords and they should all include numbers and letters.

 

[alan1302]

Google knows and remembers your history. It knows and remembers what you have typed.

And because Edge now uses Chromium it means Google now has access to your Edge data.

No, that's not true

 

[patery]

You signed all this data over to google when you signed up. Everything that happens on that browser they know about and for ease of access they store passwords. This is mainly because of cookies and other website data that google collect with your permission.

Hope this helped

 

[patery]

... but do I / should I trust them?

Yes, you should legally as long as you use a trusted company they do not store your data in a place where any hackers can get it easily even if they get into most of the company as these companies have security on the same levels as government related things (Usually better) They are more safe than any other method that you could try and imo are a necessity if you are serious about online security.

 

[Craig Bird]

Someone suggested a while back that people use say the last 10 digits of pi as a password./QUOTE]

Last 10 digits of Pi..... Good one!!!! haha

 

[Ian J]

Are you asking your computer to store them so that it is easier for you to login next time you go online on your computer?

Yes but I assumed that whilst Microsoft may well have access to my passwords through my use of Internet Explorer I didn't realise that Google would too and I also assumed that IE would have stored them in an encrypted fashion too.

It seems that if anyone hacks in to my little used Google account they also gain access to all my passwords but fortunately my bank and credit card accounts weren't included in the lengthy list of passwords

 

[The Byre]

Can you give an example as to how it works? Not a real one of course

Medium security - Take a series of numbers - anything will do. NI number, your secret lover's telephone number, an old bank account number, whatever. Give it a letter. Your lover is L, the bank is B, the NI number is N. Now take the first three or four letters of the site you are visiting. If it is an email provider and the name is Gmail, break up the numbers into blocks and place the letter that comes after the letter in the alphabet between those blocks. Now all you have to remember is the order in which those blocks come - LBN, NBL, BNL, etc.

So if we want to go to Gmail and our Lover has the tel.no. 12345678 and our Bank is 87654321 and our access code is BL, then the password is simply 8765h4321n1234b5678.

You can, of course, vary that and make the blocks of different lengths and go for two or three letters between blocks. All you have to remember is the order NL or whatever turns you on. Once you get used to it, it is a remarkably quick and easy way to have a decent password and 28.7-times better than handing over your security to Google.

 

[UKSBD]

Medium security - Take a series of numbers - anything will do. NI number, your secret lover's telephone number, an old bank account number, whatever. Give it a letter. Your lover is L, the bank is B, the NI number is N. Now take the first three or four letters of the site you are visiting. If it is an email provider and the name is Gmail, break up the numbers into blocks and place the letter that comes after the letter in the alphabet between those blocks. Now all you have to remember is the order in which those blocks come - LBN, NBL, BNL, etc.

So if we want to go to Gmail and our Lover has the tel.no. 12345678 and our Bank is 87654321 and our access code is BL, then the password is simply 8765h4321n1234b5678.

You can, of course, vary that and make the blocks of different lengths and go for two or three letters between blocks. All you have to remember is the order NL or whatever turns you on. Once you get used to it, it is a remarkably quick and easy way to have a decent password and 28.7-times better than handing over your security to Google.

The problem is, that's all irrelevant if when entering that password anywhere you are signed in to your Google account and inadvertently tick a box saying save this password for next time you login to this site. Which is really easy to do without even knowing you have (especially on a mobile)

 

[The Byre]

and inadvertently tick a box saying save this password

Old German saying - "Mit der Dummheit kämpfen Götter selbst vergebens!" (Against stupidity, the gods themselves do battle in vain!)

 

[UKSBD]

Others would disagree.

There are numerous sites where I save my login details or stay logged in.

I just make sure that I use different passwords on different sites and only save the login details on sites that aren't important

 

[alan1302]

Yes but I assumed that whilst Microsoft may well have access to my passwords through my use of Internet Explorer I didn't realise that Google would too and I also assumed that IE would have stored them in an encrypted fashion too.

It seems that if anyone hacks in to my little used Google account they also gain access to all my passwords but fortunately my bank and credit card accounts weren't included in the lengthy list of passwords

The only way Google will know your passwords would be for you to have allowed them to. Using Internet Explorer or Edge would not give Google that access so you must have done it at one time elsewhere. Maybe on a mobile phone and used Chrome?

 

[JEREMY HAWKE]

@Ian J I think the Russians are on to you

 

[UKSBD]

Others would disagree.

There are numerous sites where I save my login details or stay logged in.

I just make sure that I use different passwords on different sites and only save the login details on sites that aren't important

Following on from this post

Just checked my history for this morning alone and I've been to at least 10 websites where I was either already logged in to or my login details were remembered.

The thought of having to sign in and re-enter a password every time would drive me mad.

 

[Ian J]

@Ian J I think the Russians are on to you

They aren't going to learn much about me from the boring sites that I visit - this one excepted of course

 

[Mr D]

Following on from this post

Just checked my history for this morning alone and I've been to at least 10 websites where I was either already logged in to or my login details were remembered.

The thought of having to sign in and re-enter a password every time would drive me mad.

Depends how much security you want.

To be secure you use separate logins for each site and you change all passwords regularly.

Many appear to use one password for all things, never change it - then give it away to someone.

 

[UKSBD]

To be secure you use separate logins for each site and you change all passwords regularly.

The only time I've changed my password here was when I logged out once but then couldn't remember it when trying to log back in.

 

[gpietersz]

but do I / should I trust them?

If they are open source and sufficiently widely used that people are likely to have looked at the source, yes.

@Nico Albrecht how? Have you written this up? Can you do it without access to the users computer or having first compromised it in some way?

 

[Nico Albrecht]

how? Have you written this up? Can you do it without access to the users computer or having first compromised it in some way?

No need to compromise the computer first, encrypted local browser data is not that hard to gain access to. Access to the user computer helps quite a bit. But don't be fooled that any encrypted browser password in firefox will hold up much. Next vulnerability is live ram data extraction, as long as the OS doesn't encrypted the ram content this would open up another angle of attack for any 3rd party tool.

 

[gpietersz]

@Nico Albrecht that surprises me. I have not read of any Firefox password manager vulnerability apart from the master password bypass one! Can you tell me any more?

That said, I always felt standalone password managers were a better bet.

 

[DontAsk]

So if we want to go to Gmail and our Lover has the tel.no. 12345678 and our Bank is 87654321 and our access code is BL, then the password is simply 8765h4321n1234b5678.

I use something similar but then it breaks down when you find a site that stupidly insists on a special character such as '$'. Other sites disallow special characters. There's no one system that fits all.

 

[The Byre]

I've experienced the same problem and use 8765h4321-n-1234b5678 or similar, but one has to write that down somewhere and only for extreme and unavoidable cases - otherwise, I avoid daft password stipulations. You want my custom, you use my PW system.

 

[Nico Albrecht]

To make it short the password complexity is almost irrelevant as it is a single point of failure once compromised. If Ian is concerned about passwords that could float around in a google data centre or a 3rd party gained access 2 factor authentication protection is the only viable option.

Creating complex passwords is as safe as creating none complex ones and a lot of stuff from the early 00's such as changing password on a regular base is actually considered not very good practice anymore and has a higher risk. A password is safe until it is considered compromised, the complexity doesn't matter. With many website only allowing a few wrong password before you get blocked anyway the complexity of passwords is even less relevant.

Secure your critical accounts with either geo tagging or 2 factor authentication.

The biggest risk with entering passwords on websites is either on your computer by 3rd party elevated software such as antivirus or browser extension monitoring data and transferring it back. Free avast and avg are know to send your visited websites back to them. Also anti virus solutions run with elevated privileges they can easily access restricted browser caches and ram content.

Next risk is the website saving your password can be compromised in many ways.

Have you written this up?

No, this is R&D + business secrets but there are tons of good articles on the web explaining it in detail how it can be done.

 

[Mjay]

I rarely log in to my Google account but I did this morning and Google enquired whether I wanted a password check so I clicked on "yes"

It checked my 55 saved passwords and said that I had 7 compromised passwords, 53 re-used passwords and 51 accounts using a weak password and listed all of the websites that had one or more of the above problems

How the hell does Google know all of my passwords as I thought that they were supposed to be encrypted and should I be concerned?

There are three sites with my wife's email address on where I assume that she used my computer to access and worryingly Google's list contains an icon by each to display the password

If you're using Google Chrome and registered/logged in on a website, a pop-up appears on the top giving you the option to "save" the password or "never". It's possible that you selected "save" hence, all your passwords being saved.
Hope that helped.