You seem to be curious specifically about the key used to encrypt the passwords in Chrome.
The answer is:
Every password is encrypted with a different random key.
And then the encrypted password is stored in the SQLite database file:
%LocalAppData%\Google\Chrome\User Data\Default\Login Data
You can use something like SQLite Database Browser or SQLite Maestro to view it. Here's a snippet from my Login Data
file:
origin_url username_value password_value
======================================== ============== ========================
http://thepiratebay.org/register JolineBlomqvist@example.com 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000BB0E1F4548ADC84A82EC0873552BCB460000000002000000000003660000C0000000100000006811169334524F33D880DE0C842B9BBB0000000004800000A00000001000000043C8E23979F5CC5499D73610B969A92A08000000EE07953DEC9F7CA01400000098B5F0F01E35B0DC6BBAFC53A9B1254AC999F4FA
You'll notice the password is an encrypted blob of data. The approximate algorithm to encrypt a new password is:
- generate a new random session key
- encrypt the password with the session key
- encrypt the session key with the user's RSA public key
- generate a Message Authentication Code (HMAC) for the encrypted data
- concatenate the encrypted session key, the encrypted password, and the MAC
And Chrome saves that blob to its SQLite database.
But to answer your question: Where does the encryption key come from?
Each password is encrypted with a different randomly generated key
The Technical Details
Of course i left out the technical details. Chrome does not encrypt your passwords itself. Chrome does not have a master key used to encrypt anything. Chrome does not do the encryption. Windows does.
There is a Windows function, CryptProtectData
, which is used to encrypt any arbitrary data you like. The details of calling it is less important. But if i invent a pseudo-language that somewhat can be decipherable as any programming languge, Chrome calls:
CryptProtectData(
{ cbData: 28, pbData: "correct battery horse staple" },
"The password for superuser.com and all the glee therein",
null, //optional entropy
null, //reserved
null, //prompt options
0, //flags
{ cbData: pbData: }); //where the encrypted data will go
So the password:
- Plaintext:
correct battery horse staple
- Encrypted:
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000BB0E1F4548ADC84A82EC0873552BCB460000000002000000000003660000C0000000100000006811169334524F33D880DE0C842B9BBB0000000004800000A00000001000000043C8E23979F5CC5499D73610B969A92A08000000EE07953DEC9F7CA01400000098B5F0F01E35B0DC6BBAFC53A9B1254AC999F4FA
You'll notice that i never needed to supply a password. That is because Windows takes care of all of that. In the end:
- a random password is generated to encrypt the password
- that password is encrypted with a random password
- that password is encrypted with your Windows password
So the only way for someone to know your password is if they know your password.
I'd personally use KeePass.
Not only KeePass has a portable version (that you can run straight off of a UFD), it's a full-featured password database, with an 'auto-type' feature so no one need to see what your password is.
Best Answer
My favorite password storage tool is KeePass:
Is there any limit as to how many passwords you can store in it?
Only in theory. You can put as many entries into the database as you want, but at some point your USB key or HDD will be full.
Is there a way to automatically sync changed passwords?
No, not like you expect it.
You'll want to make that a regular, manual process. This can not and should not be automated.
I like to set up expiration dates for all my password entries:
Then I remember to change my passwords regularly. I store the URL of the website with the password entry, so it's a quick process.
Can I automatically log on to a website like Facebook using this software?
No, not automatically either (at least to my knowledge). But this is where Auto-Type comes into play. For example, for Facebook, this is my Auto-Type setup:
As you can see, I've created 3 configurations for different browser titles. This allows me to simply go to
facebook.com
, press Ctrl+Alt+A, and the username and password will be automatically entered and I will be logged in.If you have multiple username/password combinations for the same window title, you'll get a popup window asking you which password entry should be used.
What about mobile?
There are apps that support the KeePass container format on mobile devices. But I stay away from those. I just don't like the thought of my KeePass database on my phone.
I prefer to only transfer single passwords using the QR Code Generator plugin. It lets you generate a QR Code from a password, which you can then scan with your phone. It helps to have an app that can copy the scanned content to clipboard.