How safe are sync'd passwords on a stolen device

Obelix27 · March 11, 2021, 9:59am

How safe is a stolen device with sync’d passwords? I see I can delete that device from the sync chain from another device, but what does that actually do? I can see two scenarios once I have deleted the stolen device from the sync chain, but there are probably many more:

the device gets WiFi and presumably then Brave automatically deletes all the passwords on that device?
the device doesn’t get WiFi and presumably the passwords are still somewhere on the device? I guess they are encrypted, but if Brave can access them then so can someone else surely (at least in theory)?

LorisTecnology · March 11, 2021, 10:12am

if you have an android device i would suggest run a remote data wipe

Obelix27 · March 11, 2021, 11:53am

Sure, but Android’s wipe feature relies on the device connecting to the web, which especially in the case of a tablet is far from a given. So then you are still left with (2) in my original post. Or of course if a Window’s laptop is stolen, then there is no wipe feature and you are left with (1) and (2) above.

klompje · March 11, 2021, 12:15pm

Why don’t you simply delete a device (one you have access to) from your sync chain and then check on that device what the story is?

Obelix27 · March 11, 2021, 5:12pm

I can do that easily enough. But it doesn’t tell me what would happen if a proper hacker got my device. E.g. are the passwords (and sync chain) stored locally on the device, in which case someone who knew what they were doing could still in theory get hold of the passwords.

Obelix27 · March 12, 2021, 7:39am

By way of example, I just migrated from Chrome to Brave. I imported all the passwords from Chrome into Brave very easily. Too easily as it it didn’t even ask me for Chrome’s sync password. So how on earth did it get all Chrome’s passwords??? If Brave can do it then a hacker can do it … Obviously Brave’s sync function is done differently, hence my original question.

Obelix27 · March 15, 2021, 10:23am

Any thoughts anyone? Are passwords stored locally on the Android device, or does Brave go online to the sync chain to get the password every time it is needed? I assume the former, in which case the device is presumably not that safe if in the wrong hands?

klompje · March 15, 2021, 10:35am

I stand by my previous comment. There is nothing a hacker can do that you cannot do yourself if you get access to the correct tools. Personally I think the only safe option is not to store any passwords in any browser and use a dedicated password manager.

Obelix27 · March 16, 2021, 10:24am

In theory you are correct. But the reality is a hacker can get to my passwords, if they are there, very quickly, whereas it would take me a month of Sundays. It would be nice to know if the information is there for a hacker to get at should my device be stolen even if I delete it from the sync chain. Yes I can pay for a service, but why should I if Brave does what I want anyway?

TBH I am very surprised more people aren’t interested in this basic security question. After all, people have moved to Brave for privacy / security.

divyansh101dabral · March 16, 2021, 2:29pm

It might be worthwhile asking support if the passwords get stored locally. If they aren’t, you can just remove the device from the sync chain.

Obelix27 · March 16, 2021, 4:18pm

Yes, so long as they aren’t stored locally then that works fine. But this forum is the only support I can find. I am not aware of any other options, unless you know of one?

I am still VERY surprised that Brave imported all my Chrome passwords without even asking for my Chrome password. Hence the concern…