Google-chrome – I’m using Chrome and Chrome Sync; does Google have access to the passwords

google-chromepasswordsprivacySecurity

I've been using Chrome (and Chrome Sync) for many years now. Does that mean Google, the owner of Chrome, knows all my passwords?

I ask because I realized that Google owns Chrome, and also, it is a closed source browser, which means there could be some sort of backdoor that allows the browser to collect my passwords.

Also, is it the same case with Firefox?

Best Answer

Short answer, yes. If sync is enabled, and you opt to save a password, that password will be sent to Google's servers. That said, the data is encrypted, and access to it is limited.

By default, Google encrypts your synced data using your account credentials. Google indicates that this data cannot be decrypted without knowledge of your password, and that in fact, when your credentials change, all synced data must be deleted from their systems, and can then be re-synced from your devices (and in the process is re-encrypted with the your new credentials).

So, if everything is working correctly, Google themselves can be trusted, and the Google infrastructure is sufficiently secure to keep interested third parties out (read NSA, criminal hackers, etc) then your data is safe. That said, however, Google still has the capability to decrypt your data, though they don't make that known. This is simply the result of them being party to the creation of the cipher key (your credentials), leaving them in a position to save and potentially misuse the keys.

This level of trust is more than I would want to place in them, so in this situation, I would choose not to save passwords or sync data to their services, but that's just my preference. Only a fool trusts everyone, but only a bigger fool trusts no one.