I'm using Chrome and Chrome Sync; does Google have access to my passwords?
Solution 1:
Short answer, yes. If sync is enabled, and you opt to save a password, that password will be sent to Google's servers. That said, the data is encrypted, and access to it is limited.
By default, Google encrypts your synced data using your account credentials. Google indicates that this data cannot be decrypted without knowledge of your password, and that in fact, when your credentials change, all synced data must be deleted from their systems, and can then be re-synced from your devices (and in the process is re-encrypted with the your new credentials).
So, if everything is working correctly, Google themselves can be trusted, and the Google infrastructure is sufficiently secure to keep interested third parties out (read NSA, criminal hackers, etc) then your data is safe. That said, however, Google still has the capability to decrypt your data, though they don't make that known. This is simply the result of them being party to the creation of the cipher key (your credentials), leaving them in a position to save and potentially misuse the keys.
This level of trust is more than I would want to place in them, so in this situation, I would choose not to save passwords or sync data to their services, but that's just my preference. Only a fool trusts everyone, but only a bigger fool trusts no one.
Solution 2:
It depends on your encryption settings.
- Encrypt synced passwords with your Google credentials: This is the default option. Your saved passwords are encrypted on Google's servers and protected with your Google Account credentials.
With this option, Google has access to your data.
- Encrypt all synced data with your own sync passphrase: Select this if you'd like to encrypt all the data you've chosen to sync. You can provide your own passphrase that will only be stored on your computer.
With this option, Google does not have access to your data, assuming they are being honest about what happens with your passphrase (what happens if you forget your passphrase makes it clear that they do not store it for your benefit), don't have some gaping hole (or backdoor) in their sync security, and your passphrase is secure enough to withstand a brute force attempt by Google (such a password is possible, but very atypical).
You can reduce the opportunity for Google to intercept your passwords by using an offline password manager like KeePass in conjunction with Chrome as your browser. You can remove the opportunity entirely by no longer using Google products (what if they really bundled a keylogger with Google Drive or Chrome? And with Gmail, password reset requests could be intercepted in one way or another, possibly resulting in Google accessing your accounts, even if your passwords are uncrackable).
With Firefox, the security of your data hinges on how secure your Firefox Account password is. If you choose a good password, it should be impossible for Mozilla or anyone to access your passwords. However, this makes the assumption that Mozilla is being honest about how the system works, and there's no gaping hole (or backdoor) in their security. You can add an additional measure of security by running your own private Sync server instead of using Mozilla's. Since Firefox is open source and Mozilla has a better track record regarding privacy than Google does, the likelihood of them trying to compromise your data seems far lower.
Choose your paranoia level as you like, and based on your needs. I wouldn't use anything Google for Snowden-level needs, but for ordinary-privacy needs, I'd go with a passphrase on Google Sync at a minimum (so that an attacker accessing your Google Account has another layer to get through before he has your passwords).
Also, note that all of this goes out the window if anyone manages to install a keylogger (maybe complemented by a screen scraper and mouse click recorder to combat on-screen keyboards) on your PC.
Solution 3:
Your paranoia is well-justified. Yes, Google can access your passwords. That's even true if you defined a custom passphrase, unless that passphrase is truly random rather than being a typical human-chosen password. Reason is, the approach used by Chrome to convert that passphrase into an encryption key (PBKDF2-HMAC-SHA1 will 1003 iterations) is ridiculously simple to bruteforce. It doesn't take Google's resources, anybody willing to invest less than $1000 into a graphics card can guess most passwords within a few days. The current implementation even fails to set a variable salt, which allows guessing passphrases for all accounts in parallel. Edit (2020-03-15): As of Chrome 80, a better implementation is used. So your passwords will be safe as long as you set a passphrase.
Current Firefox Sync implementation is considerably better. Anybody merely accessing data on the server won't be able to do a whole lot with it, the protection is sane. The client-side component of that protection is currently suboptimal however (PBKDF2-HMAC-SHA256 with 1000 iterations), so anybody who is able to intercept the password hash as it is being sent to the server will be able to guess your password with comparably little effort.
Additional information:
- My blog post on the topic
- Chromium issue 820976
- Mozilla bug 1320222