2016年4月9日星期六

passwords.google.com: single point of failure for all my password security

I'm surprised to notice that Google has silently transferred all my password to Google and stored full password information in their server. It's a high security risk for me. You can see all the password using following URL after you login in to your Gmail account:

passwords.google.com

If you are using Chrome as the main web browser, that means most of your passwords are stored there. And they can be viewed as Plan text.

The problem is that usually you have different strategy to manage your passwords depends on the importance of the website, for example, for non-critical forum website, you may use very simple password, for email site, use a bit more complex password, for internet banking, you want to use most secured password. 

But as Google saved all your password in plain text, all the password strategy is downgrade one single password, google password. Anyone around the word, once they have got your google password or get a way to access your google account, for example from your lost phone or lost device, they can get all your other passwords. That will be a disaster.

And further more, for me the password should be my private information, it should never be stored anywhere except in my private note or storage. Usually as an online service provider, they should only store my password hash in their storage for verification purpose. As once password is stored, their employee can see it which is a a high risk. Nobody can guarantee every employee is a good guy in a large corporation.  

So to better protect yourself, I would suggest to disable smart locks for password.