From 68a10c0f4e5d5217f6c34566d4e363df6d448fa8 Mon Sep 17 00:00:00 2001 From: Aryun Gupta <38221566+AryunGupta@users.noreply.github.com> Date: Mon, 30 Dec 2024 16:57:34 -0700 Subject: [PATCH] Update index.md updated Powerwash typo Signed-off-by: Aryun Gupta <38221566+AryunGupta@users.noreply.github.com> --- .../knowledge/ChromeOS Questionable Encryption/index.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/posts/knowledge/ChromeOS Questionable Encryption/index.md b/content/posts/knowledge/ChromeOS Questionable Encryption/index.md index e83e08e..f55a18e 100644 --- a/content/posts/knowledge/ChromeOS Questionable Encryption/index.md +++ b/content/posts/knowledge/ChromeOS Questionable Encryption/index.md @@ -27,12 +27,12 @@ As a result, someone with sufficient access to Google's servers would theoretica This differs from how encryption passwords are handled by other services like cloud‑based password managers — they use _client‑side hashing_ to deliberately blind the server from the actual password. As the name suggests, the browser locally executes a cryptographic hash function on the actual password and only transmits the _resultant hash_ to the server for authentication. -The user should be able to avoid this issue with the local password. While we have not done in-depth analysis to confirm that Google never has access to the local encryption password, this is likely the case since an account recovery using the Google password will require a Power Wash: +The user should be able to avoid this issue with the local password. While we have not done in-depth analysis to confirm that Google never has access to the local encryption password, this is likely the case since an account recovery using the Google password will require a Powerwash: -![Power Wash](power-wash.jpg) +![Powerwash](power-wash.jpg) ## Takeaways If Google is malicious, coerced by the government, or hacked, their servers can record the user password prior to it being hashed server‑side. That password can then be used by an adversary with physical access to unlock ChromeOS and gain access to the data stored therein, if the Google account password is used for encryption. -As a result, when setting up your Chromebook, it is highly recommended that you use a local password instead. \ No newline at end of file +As a result, when setting up your Chromebook, it is highly recommended that you use a local password instead.