HACKER Q&A
📣 FrenchDevRemote

Why does Google thinks it's okay to store users plain text passwords?


So I was just in the process of handling the aftermath of the theft of one of my relative's phone. Not a tech-savvy person, I'd say they're more or less as knowledgeable as the average Google user.

When checking what could be blocked from their google account, I realized that 60 of their saved passwords/mails were available in plain text when connecting to their google account from a new laptop(with no other input than mail and password), it's even exportable to a nice csv. This apparently seems to be default behavior.

Isn't that insane?

Am I naive to just realize that this is apparently normal to have this kind of stupid design from a trillion dollar tech company?

Is there any sane way of explaining why anyone could have thought that this was an acceptable idea?

  👤 wmf Accepted Answer ✓
So you're talking about Chrome password syncing? AFAIK this is encrypted so that Google doesn't see those passwords; only the user can see them. Normal people love syncing everything between their devices so Google is just giving them what they want. Note that Apple, Firefox, and password managers provide the same feature.

Passkeys are more secure than passwords so hopefully the world migrates to that over time.

👤 ahazred8ta
You logged into the google account with the password. You now have access to the information saved in the google account. Yes, that's the way logging into an account works.

> Am I naive to just now realize this

We'll give you three guesses and the first two don't count.

👤 uberman
So, how exactly would any password manager (crome included) work if they were unable to have access to the pain text password to pass it to the third party login prompt?
👤 motownphilly
I doubt the passwords are stored in plain text, but they ultimately have to be decrypted at some point. I guess you are seeing the outcome of that process.
👤 ClassyJacket
How do you think they should do it? What's the alternative?