It doesn't take Google's resources, anybody willing to invest less than $1000 into a graphics card can guess most passwords within a few days. Reason is, the approach used by Chrome to convert that passphrase into an encryption key (PBKDF2-HMAC-SHA1 will 1003 iterations) is ridiculously simple to bruteforce. That's even true if you defined a custom passphrase, unless that passphrase is truly random rather than being a typical human-chosen password. I wouldn't use anything Google for Snowden-level needs, but for ordinary-privacy needs, I'd go with a passphrase on Google Sync at a minimum (so that an attacker accessing your Google Account has another layer to get through before he has your passwords).Īlso, note that all of this goes out the window if anyone manages to install a keylogger (maybe complemented by a screen scraper and mouse click recorder to combat on-screen keyboards) on your PC. Since Firefox is open source and Mozilla has a better track record regarding privacy than Google does, the likelihood of them trying to compromise your data seems far lower.Ĭhoose your paranoia level as you like, and based on your needs. You can add an additional measure of security by running your own private Sync server instead of using Mozilla's. However, this makes the assumption that Mozilla is being honest about how the system works, and there's no gaping hole (or backdoor) in their security. If you choose a good password, it should be impossible for Mozilla or anyone to access your passwords. With Firefox, the security of your data hinges on how secure your Firefox Account password is. You can remove the opportunity entirely by no longer using Google products (what if they really bundled a keylogger with Google Drive or Chrome? And with Gmail, password reset requests could be intercepted in one way or another, possibly resulting in Google accessing your accounts, even if your passwords are uncrackable). You can reduce the opportunity for Google to intercept your passwords by using an offline password manager like KeePass in conjunction with Chrome as your browser. With this option, Google does not have access to your data, assuming they are being honest about what happens with your passphrase (what happens if you forget your passphrase makes it clear that they do not store it for your benefit), don't have some gaping hole (or backdoor) in their sync security, and your passphrase is secure enough to withstand a brute force attempt by Google (such a password is possible, but very atypical). You can provide your own passphrase that will only be stored on your computer. Encrypt all synced data with your own sync passphrase: Select this if you'd like to encrypt all the data you've chosen to sync.With this option, Google has access to your data. Your saved passwords are encrypted on Google's servers and protected with your Google Account credentials. Encrypt synced passwords with your Google credentials: This is the default option.Only a fool trusts everyone, but only a bigger fool trusts no one. This level of trust is more than I would want to place in them, so in this situation, I would choose not to save passwords or sync data to their services, but that's just my preference. This is simply the result of them being party to the creation of the cipher key (your credentials), leaving them in a position to save and potentially misuse the keys. That said, however, Google still has the capability to decrypt your data, though they don't make that known. So, if everything is working correctly, Google themselves can be trusted, and the Google infrastructure is sufficiently secure to keep interested third parties out (read NSA, criminal hackers, etc) then your data is safe. Google indicates that this data cannot be decrypted without knowledge of your password, and that in fact, when your credentials change, all synced data must be deleted from their systems, and can then be re-synced from your devices (and in the process is re-encrypted with the your new credentials). That said, the data is encrypted, and access to it is limited.īy default, Google encrypts your synced data using your account credentials. If sync is enabled, and you opt to save a password, that password will be sent to Google's servers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |