{"id":1961,"date":"2019-02-09T07:00:09","date_gmt":"2019-02-09T12:00:09","guid":{"rendered":"https:\/\/langa.com\/?p=1961"},"modified":"2019-02-09T10:38:58","modified_gmt":"2019-02-09T15:38:58","slug":"german-researchers-find-flaw-in-password-checker","status":"publish","type":"post","link":"https:\/\/langa.com\/index.php\/2019\/02\/09\/german-researchers-find-flaw-in-password-checker\/","title":{"rendered":"German researchers find ‘flaw’ in Password Checker"},"content":{"rendered":"\n

Reader Doug* sent in this report after reading, \u201cNew, free Chrome extension checks for password hacks in real time<\/a>.\u201d <\/p>\n\n\n\n

“Fred …found this in a forum…..a security flaw in the Password Checker extension…from Google…unfortunately it is in German….but perhaps you can further research the security flaw:
<\/em>https:\/\/www.kuketz-blog.de\/chrome-add-on-password-checkup-uebermittelt-domainname\/<\/em><\/a>
and
<\/em>https:\/\/www.deskmodder.de\/blog\/2019\/02\/06\/password-checkup-google-uebermittelt-doch-nicht-alles-verschluesselt\/<\/em><\/a> “<\/p>\n\n\n\n

Thanks, Doug! Yes, a German researcher looked at the datastream that Password Checker sends, and found that all username\/password info is indeed fully encrypted or otherwise screened, as claimed; but the domain of the site you\u2019re logging into is sent in the clear, maybe.  (I say “maybe” because the report doesn’t say how they bypassed the innate SSL-encryption to snoop on the data exchange.)<\/p>\n\n\n\n

I agree it would be better if all info from Password Checker were fully encrypted because, well, why not?<\/p>\n\n\n\n

But I’m not going to worry about a potentially-visible URL: Under normal circumstances, URL info already gets scattered everywhere — recorded in the Browser History; parsed by URL-completion and page-prediction\/caching services; processed, translated to IP and handled by various DNS servers, multiple ISPs and every single router<\/strong><\/em> along the way. Is Password Checker also knowing the URL really a problem?<\/p>\n\n\n\n

And even if it is, does it really add to your risk?<\/p>\n\n\n\n

If someone has camped on your connection, broken your SSL encryption, and is monitoring your datastream, you’re already screwed. Password Checker isn’t your problem.<\/p>\n\n\n\n

Maybe I’m missing something, but plaintext URLs seem like a very minor thing.<\/p>\n\n\n\n

Still, I agree it would be better if all info from Password Checker were fully encrypted. Again, why not?<\/p>\n\n\n\n

Permalink: <\/em><\/strong>https:\/\/langa.com\/?p=1961<\/em><\/strong><\/a><\/p>\n\n\n\n

\n\n\n\n

* Want to ask Fred a question? Have a comment? Click here!<\/a><\/strong><\/p>\n\n\n\n

Want free notification of new content like this? Click here<\/a>!<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

Reader Doug* sent in this report after reading, \u201cNew, free Chrome extension checks for password hacks in real time.\u201d “Fred …found this in a forum…..a security flaw in the Password Checker extension…from Google…unfortunately it is in German….but perhaps you can further research the security flaw:https:\/\/www.kuketz-blog.de\/chrome-add-on-password-checkup-uebermittelt-domainname\/andhttps:\/\/www.deskmodder.de\/blog\/2019\/02\/06\/password-checkup-google-uebermittelt-doch-nicht-alles-verschluesselt\/ “ Thanks, Doug! Yes, a German researcher looked at the datastream that…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[7,28,25,24,5],"tags":[],"class_list":["post-1961","post","type-post","status-publish","format-standard","hentry","category-a-reader-asks","category-browsers","category-from-the-inbox","category-reader-comment","category-windows"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/paaiox-vD","jetpack-related-posts":[{"id":1957,"url":"https:\/\/langa.com\/index.php\/2019\/02\/08\/reader-response-on-chromes-new-password-checker\/","url_meta":{"origin":1961,"position":0},"title":"Reader response on: Chrome’s new Password Checker","author":"Fred Langa","date":"2019-02-08","format":false,"excerpt":"Wow! Yesterday\u2019s item, \u201cNew, free Chrome extension checks for password hacks in real time\u201d generated a ton of replies\u2026 and questions! For example, over on the AskWoody lounge, a number of readers expressed concerns about explicitly asking a Google product to examine your passwords. As I explained there, I completely\u2026","rel":"","context":"In "A reader asks..."","block_context":{"text":"A reader asks...","link":"https:\/\/langa.com\/index.php\/category\/a-reader-asks\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1946,"url":"https:\/\/langa.com\/index.php\/2019\/02\/07\/new-free-chrome-extension-checks-for-password-hacks-in-real-time\/","url_meta":{"origin":1961,"position":1},"title":"New, free Chrome extension checks for password hacks in real time","author":"Fred Langa","date":"2019-02-07","format":false,"excerpt":"Google's new Password Checkup extension for desktop Chrome automatically checks your passwords, as you use them, against a Google-developed database of some four billion known hacked\/stolen logon credentials. (Fig. 1) Fig. 1: Google's free Password Checkup for desktop Chrome monitors your passwords in real-time, to see if they've been hacked\/stolen.\u2026","rel":"","context":"In "Browsers"","block_context":{"text":"Browsers","link":"https:\/\/langa.com\/index.php\/category\/browsers\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/langa.com\/wp-content\/uploads\/2019\/02\/password-checkup-for-chrome.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":3413,"url":"https:\/\/langa.com\/index.php\/2019\/09\/13\/how-should-i-check-the-authenticity-of-a-password\/","url_meta":{"origin":1961,"position":2},"title":"“How should I check the authenticity of a password?”","author":"Fred Langa","date":"2019-09-13","format":false,"excerpt":"(Answer requested by Aditya Verma) If you really mean \u201cauthenticity,\u201d that\u2019s a programmatic question, and I can\u2019t help you: You\u2019ll need to hire someone (or learn yourself) to compare whatever password you\u2019re trying to authenticate to whatever database or algorithm or other authentication-source you specify. But if you mean you\u2026","rel":"","context":"In "A reader asks..."","block_context":{"text":"A reader asks...","link":"https:\/\/langa.com\/index.php\/category\/a-reader-asks\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2523,"url":"https:\/\/langa.com\/index.php\/2019\/04\/04\/a-reader-asks-can-getting-the-password-wrong-on-your-phone-too-many-times-make-it-factory-reset\/","url_meta":{"origin":1961,"position":3},"title":"A reader asks: “Can getting the password wrong too many times make your phone factory reset?”","author":"Fred Langa","date":"2019-04-04","format":false,"excerpt":"Yup. It's a security feature, so that a hacker or thief won't have an infinite number of chances to break into your phone. For example, Android 9 (\"Pie\") on a Samsung, will optionally perform a factory reset after 15 consecutive failed logons\/unlocks. For example, Android 9\/Pie has its auto-reset function\u2026","rel":"","context":"In "Misc"","block_context":{"text":"Misc","link":"https:\/\/langa.com\/index.php\/category\/misc\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/langa.com\/wp-content\/uploads\/2019\/04\/autodelete-phone.jpg?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":3255,"url":"https:\/\/langa.com\/index.php\/2019\/09\/04\/how-do-i-access-a-factory-reset-android-phone-when-i-no-longer-remember-the-account-and-password\/","url_meta":{"origin":1961,"position":4},"title":"“How do I access a factory-reset Android phone when I no longer remember the account and password??”","author":"Fred Langa","date":"2019-09-04","format":false,"excerpt":"When you first set up a standard smartphone (I'll discuss burner phones later), you almost surely signed in with some external service --- if not, the phone wouldn't do anything! That sign-in information probably exists somewhere online, and can be recovered. For example, if yours is a standard Android setup,\u2026","rel":"","context":"In "A reader asks..."","block_context":{"text":"A reader asks...","link":"https:\/\/langa.com\/index.php\/category\/a-reader-asks\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/langa.com\/wp-content\/uploads\/2019\/08\/google-account-recovery.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/langa.com\/wp-content\/uploads\/2019\/08\/google-account-recovery.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/langa.com\/wp-content\/uploads\/2019\/08\/google-account-recovery.jpg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/langa.com\/wp-content\/uploads\/2019\/08\/google-account-recovery.jpg?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":3581,"url":"https:\/\/langa.com\/index.php\/2019\/10\/10\/how-many-passwords-do-you-keep-for-smartphones-laptops\/","url_meta":{"origin":1961,"position":5},"title":"“How many passwords do you keep for smartphones & laptops?”","author":"Fred Langa","date":"2019-10-10","format":false,"excerpt":"(Answer requested by Byron Inductivo) I currently have over 700 passwords in use, but I only have to remember one. I use a password manager on all my devices: I only have to remember the password-manager's own master password. Once I enter that, the software takes over. When I encounter\u2026","rel":"","context":"In "A reader asks..."","block_context":{"text":"A reader asks...","link":"https:\/\/langa.com\/index.php\/category\/a-reader-asks\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_likes_enabled":false,"_links":{"self":[{"href":"https:\/\/langa.com\/index.php\/wp-json\/wp\/v2\/posts\/1961","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/langa.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/langa.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/langa.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/langa.com\/index.php\/wp-json\/wp\/v2\/comments?post=1961"}],"version-history":[{"count":9,"href":"https:\/\/langa.com\/index.php\/wp-json\/wp\/v2\/posts\/1961\/revisions"}],"predecessor-version":[{"id":1996,"href":"https:\/\/langa.com\/index.php\/wp-json\/wp\/v2\/posts\/1961\/revisions\/1996"}],"wp:attachment":[{"href":"https:\/\/langa.com\/index.php\/wp-json\/wp\/v2\/media?parent=1961"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/langa.com\/index.php\/wp-json\/wp\/v2\/categories?post=1961"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/langa.com\/index.php\/wp-json\/wp\/v2\/tags?post=1961"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}