google and privacy , share my case

[obsigna]

…and it's immediately pwned.

This site got many high profile recommendations. Anyhow, I won’t discuss this any further, because we are on the terrain of believing. „Who wants to believe goes to the church, who wants to know does a research.“ I am a liberal, and I let you believe anything what you want, as long as you don’t force me to believe the same.

 

[Mjölnir]

I don't need to do much research to know that when I type in a password on a website, they're able to read my password... because I send it.

 

[Sevendogsbsd]

I have to comment on the OPs situation: the email was clearly a phishing attempt. Google and privacy notwithstanding, never ever use links in email, unless it is something you JUST generated and expect, like a password reset link. Only use emails as a notification system. A certain amount of trust has to be in play to use any web site that requires a password because yes, they see it when it is submitted, until it is hashed (hopefully) and stored. To be clearer, the SYSTEM sees it.

 

[aragats]

I don't need to do much research to know that when I type in a password on a website, they're able to read my password... because I send it.

Moreover, they can calculate and store all possible hashes of it to threaten me later ;-)

 

[Sevendogsbsd]

I also need to add that password reset phishing attempts are becoming more prevalent so just be aware.

 

[Snurg]

Moreover, they can calculate and store all possible hashes of it to threaten me later ;-)

I have no real knowledge about encryption etc.
But if passwords are published in clear text, I guess Google can easily find out whether they match their customers' one.
What should they do then? Not warn their affected users?

 

[Sevendogsbsd]

Moreover, they can calculate and store all possible hashes of it to threaten me later ;-)

Which is why salted hashes are so important. Besides, they go great with beer

 

[Sevendogsbsd]

I have no real knowledge about encryption etc.
But if passwords are published in clear text, I guess Google can easily find out whether they match their customers' one.
What should they do then? Not warn their affected users?

Passwords should never be in clear text, ever, except at the point of submission and probably during transport to a web server. They should be hashed and salted so the hashes are unique.

 

[aragats]

Google can easily find out whether they match their customers' one

That's the point: why Google stores my password in clear text to compare with compromised ones?

 

[Sevendogsbsd]

That's the point: why Google stores my password in clear text to compare with compromised ones?

Passwords should NEVER be stored in clear text and also should never be encrypted, they should be hashed and salted at the time of the hash. They are comparing hashes of known compromised passwords. I still maintain that the email OP received was a phishing attempt and was not real.

 

[aragats]

still maintain that the email OP received was a phishing attempt and was not real

No, it's real. I got the same. Many people reported that. It's rather a "phishing attempt" from Google itself. They want you to open your account and confirm/change your info.

 

[Sevendogsbsd]

Still should only use the email as a notification and not click any links in any email.

 

[Snurg]

Sorry for expressing myself not clearly.

I didn't imply that Google stores passwords in cleartext.
I don't know how they store them, so I have to consider all possible.
For example, Facebook did (does?) store them in cleartext.

In lack of details I think it is perfectly plausible to assume that Google just could have verified that the passwords published in clear text match the stored Google accounts' password hash when hashed with Google's particular hash method. This would be sufficient to check whether a customers' accounts' password is compromised.

And it is known that Google does email its customers to warn them.
A few years ago there was a big password leak, it was high profile news in mass media, and Google said they will warn their gmail customers. I got an according email, verified it, it was completely legit. But nevertheless, I did not use the link in the email (even it was some .google.com) to change my password anyway.

 

[Sevendogsbsd]

Any responsible entity that stores passwords should never store them in clear text. This is a great article about password storage: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html and a bit dated but still good advice: https://nakedsecurity.sophos.com/20...ity-how-to-store-your-users-passwords-safely/

 

[wolffnx]

I have to comment on the OPs situation: the email was clearly a phishing attempt. Google and privacy notwithstanding, never ever use links in email, unless it is something you JUST generated and expect, like a password reset link. Only use emails as a notification system. A certain amount of trust has to be in play to use any web site that requires a password because yes, they see it when it is submitted, until it is hashed (hopefully) and stored. To be clearer, the SYSTEM sees it.

I dont think so, first of all I double checked the links and the headers of the mail
and second, you think that the engine of gmail wont detect a phishing attempt from their own server against their servers?

 

[Sevendogsbsd]

I am a web app penetration tester and look at everything from that perspective. Google wouldn't host the servers participating in a phishing attempt. I was merely stating that emails with links asking you to change your password or check your existing passwords are a huge red flag.

 

[wolffnx]

I am a web app penetration tester and look at everything from that perspective. Google wouldn't host the servers participating in a phishing attempt. I was merely stating that emails with links asking you to change your password or check your existing passwords are a huge red flag.

agreed, but, if they hosting or not the servers and dont detect a false sender with a false address passing by for gmail...that is a red flag (that is not that case, this case are real) believe