chrome保存密码_Google员工可以看到我保存的Google Chrome密码吗？-CSDN博客

chrome保存密码

Storing your passwords in your web browser seems like a great time saver, but are the passwords secure and inaccessible to others (even employees of the browser company) when squirreled away?

将密码存储在Web浏览器中似乎可以节省大量时间，但是当密码被松散地使用时，其他人(甚至是浏览器公司的员工)是否安全并且无法访问密码？

Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-driven grouping of Q&A web sites.

今天的“问答”环节由SuperUser提供，它是Stack Exchange的一个分支，该社区是由社区驱动的Q＆A网站分组。

问题 (The Question)

SuperUser reader MMA is curious if Google employees have (or could have) access to the passwords he stores in Google Chrome:

超级用户阅读器MMA很好奇Google员工是否可以(或可以)访问他存储在Google Chrome中的密码：

I understand that we are really tempted to save our passwords in Google Chrome. The likely benefit is two fold,

我了解我们真的很想将密码保存在Google Chrome中。可能的好处是双重的，

You don’t need to (memorize and) input those long and cryptic passwords.
您不需要(记忆和)输入那些冗长而隐秘的密码。
These are available wherever you are once you log in to your Google account.
登录到Google帐户后，无论身在何处都可以使用这些功能。

The last point sparked my doubt. Since the password is available anywhere, the storage must in some central location, and this should be at Google.

最后一点引起了我的怀疑。由于密码在任何地方都可用，因此存储必须位于某个中央位置，并且应该在Google处。

Now, my simple question is, can a Google employee see my passwords?

现在，我的简单问题是，Google员工可以看到我的密码吗？

Searching over the Internet revealed several articles/messages.

通过Internet搜索发现了几篇文章/消息。

Do you save passwords in Chrome? Maybe you should reconsider: Talks about your passwords being stolen by someone who has access to your computer account. Nothing mentioned about the central storage security and vulnerability. There is even a response from Chrome browser security tech lead about the first issue.
您是否在Chrome中保存密码？也许您应该重新考虑：谈论您的密码被有权访问您的计算机帐户的人窃取。没有提到中央存储的安全性和漏洞。 Chrome浏览器安全技术负责人甚至就第一个问题做出了回应。
Chrome’s insane password security strategy: Mostly along the same line. You can steal password from somebody if you have access to the computer account.
Chrome的疯狂密码安全策略：大致相同。如果您有权访问计算机帐户，则可以从他人那里窃取密码。
How to Steal Passwords Saved in Google Chrome in 5 Simple Steps: Teaches you how to actually perform the act mentioned in the previous two when you have access to somebody else’s account.
如何盗取密码保存在谷歌浏览器在5个简单步骤：教你如何实际执行前两个提到的，当你有机会获得别人的账户的行为。

There are many more (including this one at this site), mostly along the same line, points, counter-points, huge debates. I refrain from mentioning them here, simply carry a search if you want to find them.

还有更多(包括这一次在这个网站)，大多是在同一直线上，点，反点，巨大的争论。我不想在这里提及它们，如果您想找到它们，只需进行搜索。

Coming back to my original query, can a Google employee see my password? Since I can view the password using a simple button, definitely they can be unhashed (decrypted) even if encrypted. This is very different from the passwords saved in Unix-like OS’s where the saved password can never be seen in plain text.

回到我的原始查询，Google员工可以看到我的密码吗？因为我可以使用一个简单的按钮查看密码，所以即使加密了，也可以将它们取消隐藏(解密)。这与在类似Unix的OS中保存的密码非常不同，在后者中，保存的密码永远无法以纯文本形式显示。

They use a one-way encryption algorithm to encrypt your passwords. This encrypted password is then stored in the passwd or shadow file. When you attempt to login, the password you type in is encrypted again and compared with the entry in the file that stores your passwords. If they match, it must be the same password, and you are allowed access. Thus, a superuser can change my password, can block my account, but he can never see my password.

他们使用单向加密算法来加密您的密码。然后，此加密的密码存储在passwd或影子文件中。当您尝试登录时，您输入的密码将再次加密，并与存储密码的文件中的条目进行比较。如果它们匹配，则必须使用相同的密码，并且允许您访问。因此，超级用户可以更改我的密码，可以阻止我的帐户，但是他永远看不到我的密码。

So are his concerns well founded or will a little insight dispel his worry?

那么他的担忧是有根据的还是一点见识可以消除他的担忧？

答案 (The Answer)

SuperUser contributor Zeel helps put his mind at ease:

超级用户贡献者Zeel帮助您放心：

Short answer: No*

简短答案：否*

Passwords stored on your local machine can be decrypted by Chrome, as long as your OS user account is logged in. And then you can view those in plain text. At first this seems horrible, but how did you think auto-fill worked? When that password field gets filled in, Chrome must insert the real password into the HTML form element – or else the page wouldn’t work right, and you could not submit the form. And if the connection to the website is not over HTTPS, the plain text is then sent over the internet. In other words, if chrome can’t get the plain text passwords, then they are totally useless. A one way hash is no good, because we need to use them.

只要您登录了OS用户帐户，Chrome便可以解密存储在本地计算机上的密码。然后，您可以用纯文本格式查看密码。起初，这似乎很可怕，但是您认为自动填充的工作原理如何？填写该密码字段后，Chrome必须将真实密码插入HTML表单元素-否则该页面将无法正常工作，并且您无法提交该表单。如果与网站的连接不是通过HTTPS进行的，则纯文本随后将通过Internet发送。换句话说，如果chrome无法获得纯文本密码，则它们完全无用。单向散列是不好的，因为我们需要使用它们。

Now the passwords are in fact encrypted, the only way to get them back to plain text is to have the decryption key. That key is your Google password, or a secondary key you can set up. When you sign into Chrome and sync the Google servers will transmit the encrypted passwords, settings, bookmarks, auto-fill, etc, to your local machine. Here Chrome will decrypt the information and be able to use it.

现在，密码实际上已经加密了，使它们恢复为纯文本的唯一方法是拥有解密密钥。该密钥是您的Google密码，或者您可以设置的辅助密钥。当您登录Chrome并进行同步时，Google服务器会将加密的密码，设置，书签，自动填充等内容传输到您的本地计算机。 Chrome会在此处解密信息并能够使用它。

On Google’s end all that info is stored in its encrpyted state, and they do not have the key to decrypt it. Your account password is checked against a hash to log in to Google, and even if you let chrome remember it, that encrypted version is hidden in the same bundle as the other passwords, impossible to access. So an employee could probably grab a dump of the encrypted data, but it wouldn’t do them any good, since they would have no way to use it.*

在Google的末端，所有这些信息都以加密状态存储，并且它们没有解密它的密钥。系统会根据哈希值对您的帐户密码进行检查，以登录Google，即使您让chrome记住它，该加密版本也会与其他密码一起隐藏在同一捆绑包中，无法访问。因此，员工可能会抓取加密数据的转储，但是这样做对他们没有任何好处，因为他们将无法使用它。*

So no, Google employees can not** access your passwords, since they are encrypted on their servers.

不能，因为Google员工在服务器上进行了加密，因此他们无法**访问您的密码。

* However, do not forget that any system that can be accessed by an authorized user can be accessed by an unauthorized user. Some systems are easier to break than other, but none are fail-proof. . . That being said, I think I will trust Google and the millions they spend on security systems, over any other password storage solution. And heck, I’m a wimpy nerd, it would be easier to beat the passwords out of me than break Google’s encryption.

*但是，请不要忘记，未授权用户可以访问授权用户可以访问的任何系统。 一些系统比其他系统更容易破坏，但没有一个能保证故障。 。。 话虽如此，我想我会相信Google以及他们在安全系统上花费的数百万美元，而不是其他任何密码存储解决方案。 哎呀，我是个弱的书呆子，将密码打乱比破解Google的加密更容易。

** I am also assuming that there isn’t a person who just happens to work for Google gaining access to your local machine. In that case you are screwed, but employment at Google isn’t actually a factor any more. Moral: Hit Win + L before leaving machine.

**我还假设没有一个刚好在Google工作的人获得您本地计算机的访问权限。 在这种情况下，您很费劲，但实际上在Google的工作不再是一个因素。 道德：离开机器前按Win + L 。

While we agree with zeel that it’s a pretty safe bet (as long as your computer is not compromised) that your passwords are in fact safe while stored in Chrome, we prefer to encrypt all our logins and passwords in a LastPass vault.

尽管我们同意zeel的赌注(只要您的计算机没有受到损害)是一个非常安全的赌注，但您的密码在Chrome中存储时实际上是安全的，但我们更喜欢在LastPass保险库中对所有登录名和密码进行加密。

Have something to add to the explanation? Sound off in the the comments. Want to read more answers from other tech-savvy Stack Exchange users? Check out the full discussion thread here.

有什么补充说明吗？在评论中听起来不对。是否想从其他精通Stack Exchange的用户那里获得更多答案？在此处查看完整的讨论线程。