Is sync at least as secure as other browsers, such as Chrome? Is it safe to sync passwords between the web browser and the phone? I feel like it’s less secure than the other sync tools, such as Chrome, as there is no username and password, but maybe I’m missing something?
im not 100% sure, but brave is built on chromium which is “the open-source projects behind the Google Chrome browser and Google Chrome OS” so im gonna say most likely yes (:
On the client side, we use the same Sync mechanism as Chromium. However, there are two modes for it:
- username/password (i.e. your Google Account)
- separate secret key
In the first case, your passwords are encrypted using a key derived from your password. Since you send that password to Google when you login to GMail for example, Google has the ability to decrypt your passwords.
In the second case, you provide your own secret key which is never sent to the server. This means that your passwords cannot be decrypted by the server unless the server guesses your secret key (for example, if you were to use a simple password that’s easy to crack).
In Chrome, both modes are available to users, with the first one being the default.
In Brave, we only offer the second mode and we pick a long random secret key for you. This means that we have no way to look at the passwords stored on our sync server. It also means that if you lose all of your devices, your passwords cannot be recovered and you’ll have to reset them manually by visiting each site one by one.
3 Likes
I’m curious about why to remove the option to sync with the Google (or some other cloud) account? Feel free to link any references. Thanks!