Hi all,
I use Chrome. I have a number of passwords saved. But I think I found a security issue and was wondering if anyone wanted to see if they had the same result (or already knows about it.)
Today, I was messing around with Chrome. I clicked on log out and then use another account. I created a new one using a non gmail account. When it came up, I still had all the same bookmarks, etc. So I went into settings and chose reset (advanced, at the bottom) as well as changed the default startup to be a new page. I then closed Chrome and rebooted the computer.
I start Chrome, and log in using the new email ID, I still see all the previous bookmarks. And if I go to settings, passwords, I can see all the passwords for all the sites that belonged to my real Gmail account. But I am logged in using the new email ID account.
The funny thing is if I go to settings/passwords, I can see all the passwords. But if I click on the option to view and manager saved passwords in your Google Account - on that web page, it says I have none... Very strange.
And yes, the passwords are *'ed out, but if you click on the eye icon and enter the windows login password, you can then see them as pure text.
Just curious to see if anyone else can replicate it.
Fletcher
Fletcher Johnson
mailto:FletcherSJohnson@Yahoo.com FletcherSJohnson@Yahoo.com
http://linkedin.com/in/FletcherJohnson LinkedIn.com/in/FletcherJohnson
twitter.com/fletcherJ
https://www.strava.com/athletes/fletcherjohnson strava.com/athletes/fletcherjohnson
408-946-0960 - work
408-781-2345 - cell
--- StripMime Report -- processed MIME parts --- multipart/alternative text/plain (text body -- kept) text/html ---
Malcolm,
I agree about using various password managers, but it's not uncommon for people to have some passwords saved in a browser (sometimes without even realizing it.)
I am more interested if this is repeatable or if it's just something weird with my computer/configuration. If it is repeatable, it's a good thing for us to know.
Fletcher
Fletcher Johnson FletcherSJohnson@Yahoo.com LinkedIn.com/in/FletcherJohnson twitter.com/fletcherJ strava.com/athletes/fletcherjohnson 408-946-0960 - work 408-781-2345 - cell
-----Original Message----- From: ProFox [mailto:profox-bounces@leafe.com] On Behalf Of Malcolm Greene Sent: Monday, January 14, 2019 4:35 PM To: profox@leafe.com Subject: Re: Hey, can you test this...
Fletcher,
I use Chrome. I have a number of passwords saved ...
Stop. Disable your browser(s) password saving features. Use a password manager like 1Password or LastPass.
I'm a big 1Password fan myself.
Malcolm
[excessive quoting removed by server]
On Tue, Jan 15, 2019 at 12:29 PM Fletcher Johnson FletcherSJohnson@yahoo.com wrote:
Malcolm,
I agree about using various password managers, but it's not uncommon for people to have some passwords saved in a browser (sometimes without even realizing it.)
It maybe better to write down your passwords in a notebook using a pen. Digital password wallets are too dangerous and unsafe.
/Notebook/
The only way this would be useful is if you carried that notebook w/ you everywhere you went, which would thus make it extremely insecure. Password managers are accessible from anywhere can generate unique and extremely long (ie secure) passwords. They can only be unlocked w/ a master password that you know and you can set up 2FA if they're opened from anyplace new.
Use a digital password vault.
Eric
On Tue, Jan 15, 2019 at 8:38 AM Man-wai Chang changmw@gmail.com wrote:
On Tue, Jan 15, 2019 at 12:29 PM Fletcher Johnson FletcherSJohnson@yahoo.com wrote:
Malcolm,
I agree about using various password managers, but it's not uncommon for people to have some passwords saved in a browser (sometimes without even realizing it.)
It maybe better to write down your passwords in a notebook using a pen. Digital password wallets are too dangerous and unsafe.
-- .~. Might, Courage, Vision. SINCERITY! / v \ 64-bit Fedora 25 Server Spin /( _ )\ http://sites.google.com/site/changmw ^ ^ May the Force and farces be with you!
[excessive quoting removed by server]
I switched a little over two years ago to LastPass and I love it. I am using randomly generated passwords between 12 and 15 characters long and I've never felt more secure. LastPass has a plugin for all browsers and apps for iPhone and Android devices, so I'm never more than one password away from about 300 unique and individually generated passwords.
More importantly, they have a test function that will review all of your passwords, note those that need updating or that are insecure and will score your security level on the basis of the passwords you are using.
I know I sound like an advertisement, but I couldn't be happier with LastPass.
Paul H. Tarver
-----Original Message----- From: ProfoxTech [mailto:profoxtech-bounces@leafe.com] On Behalf Of Eric Selje Sent: Tuesday, January 15, 2019 10:11 AM To: profoxtech@leafe.com Subject: Re: Hey, can you test this...
/Notebook/
The only way this would be useful is if you carried that notebook w/ you everywhere you went, which would thus make it extremely insecure. Password managers are accessible from anywhere can generate unique and extremely long (ie secure) passwords. They can only be unlocked w/ a master password that you know and you can set up 2FA if they're opened from anyplace new.
Use a digital password vault.
Eric
On Tue, Jan 15, 2019 at 8:38 AM Man-wai Chang changmw@gmail.com wrote:
On Tue, Jan 15, 2019 at 12:29 PM Fletcher Johnson FletcherSJohnson@yahoo.com wrote:
Malcolm,
I agree about using various password managers, but it's not uncommon for people to have some passwords saved in a browser (sometimes without even realizing it.)
It maybe better to write down your passwords in a notebook using a pen. Digital password wallets are too dangerous and unsafe.
-- .~. Might, Courage, Vision. SINCERITY! / v \ 64-bit Fedora 25 Server Spin /( _ )\ http://sites.google.com/site/changmw ^ ^ May the Force and farces be with you!
[excessive quoting removed by server]
On Jan 15, 2019, at 10:23 AM, Paul H. Tarver paul@tpcqpc.com wrote:
I know I sound like an advertisement, but I couldn't be happier with LastPass.
I’ve been using LastPass for about 8 years, and can’t say enough good things about it. So include me in your advertisement! :)
-- Ed Leafe
Hey, Fletcher:
Not sure of the initial conditions and if it can be reproduced. Which OS? Tablet, phone or PC? I also use Chrome, across Windows, Chromebooks, Android and Linux, and Google knows who I am and syncs bookmarks, history and a disturbing amount more across the platforms. I don't store passwords in the Chrome browser because all the browser data stores are less secure. I happen to use LastPass but there may be better solutions.
It seems that once you have logged into Chrome using a gmail account, Google feels free (okay, you probably clicked an 'OK' somewhere along the line) to store lots of info about Chrome, like a roaming profile, in the gmail account, and access it even if you are "logged out." and Google restores that state when it feels like it.
So, if you decide to use Chrome on a public computer (I advise against!) or someone elses's computer, I'd strongly recommend you log in using a guest (OS) account, and when you're done go to Settings, Advanced, Privacy and security, Clear browsing history, Advanced again and select all. Don't use the "Reset and clean up" options at the very bottom, because they're intended to fix a wonky browser without losing the history.
Two-factor authentication, Privacy Badger, HTTPS Everywhere, and ad blocking are pretty much my minimal settings these days.
On Mon, Jan 14, 2019 at 7:28 PM Fletcher Johnson FletcherSJohnson@yahoo.com wrote:
Hi all,
I use Chrome. I have a number of passwords saved. But I think I found a security issue and was wondering if anyone wanted to see if they had the same result (or already knows about it.)
Today, I was messing around with Chrome. I clicked on log out and then use another account. I created a new one using a non gmail account. When it came up, I still had all the same bookmarks, etc. So I went into settings and chose reset (advanced, at the bottom) as well as changed the default startup to be a new page. I then closed Chrome and rebooted the computer.
I start Chrome, and log in using the new email ID, I still see all the previous bookmarks. And if I go to settings, passwords, I can see all the passwords for all the sites that belonged to my real Gmail account. But I am logged in using the new email ID account.
The funny thing is if I go to settings/passwords, I can see all the passwords. But if I click on the option to view and manager saved passwords in your Google Account - on that web page, it says I have none... Very strange.
And yes, the passwords are *'ed out, but if you click on the eye icon and enter the windows login password, you can then see them as pure text.
Just curious to see if anyone else can replicate it.
Fletcher
Fletcher Johnson
mailto:FletcherSJohnson@Yahoo.com FletcherSJohnson@Yahoo.com
http://linkedin.com/in/FletcherJohnson LinkedIn.com/in/FletcherJohnson
twitter.com/fletcherJ
https://www.strava.com/athletes/fletcherjohnson strava.com/athletes/fletcherjohnson
408-946-0960 - work
408-781-2345 - cell
--- StripMime Report -- processed MIME parts --- multipart/alternative text/plain (text body -- kept) text/html
[excessive quoting removed by server]
So, if you decide to use Chrome on a public computer (I advise against!) or someone elses's computer, I'd strongly recommend you log in using a guest (OS) account,
And\or do your browsing in a private Incognito tab (they're not just for looking at nude people, folks!)
On 16/01/2019 11:37, Alan Bourke wrote:
And\or do your browsing in a private Incognito tab (they're not just for looking at nude people, folks!)
The only decent excuse I have heard for using a private tab was a mate who was looking for a present for his wife and wanted it to be a surprise. Now I've heard two :-)
Peter
This communication is intended for the person or organisation to whom it is addressed. The contents are confidential and may be protected in law. Unauthorised use, copying or disclosure of any of it may be unlawful. If you have received this message in error, please notify us immediately by telephone or email.
www.whisperingsmith.com
Whispering Smith Ltd Head Office:61 Great Ducie Street, Manchester M3 1RR. Tel:0161 831 3700 Fax:0161 831 3715
London Office: 101 St. Martin's Lane,London, WC2N 4AZ Tel:0207 299 7960
-
Alan Bourke -
Ed Leafe -
Eric Selje -
Fletcher Johnson -
Malcolm Greene -
Man-wai Chang -
Paul H. Tarver -
Peter Cushing -
Ted Roche