Not quite instantly, but usually it gets synced within a few mins – if you enabled the sync under Settings.
Yes, clearly, it goes via google’s servers (whoops I should say “cloud” 
) and it obviously the whole client-server session will be end to end encrypted using https.
What we don’t know if whether google keeps the plain text pwd on its server. It has to have access to it in plain to present it to each website, obviously, but they would be fools to be storing it in plain on their machines.
So, it will be encrypted, but with which key? You can set up windows (e.g.) with no password for the interactive login, so they can’t be using that. They do ask you for that OS pwd when you want to view the passwords, under Settings, and most of the critiques of Chrome fail to mention this step. As you say, the variety of OSs capable of running Chrome suggests they are not using something in the OS, but they might be. R/Pi uses a version of Linux… I am sure every modern OS has a crypto API for crunching user credentials…
Other password managers e.g. 1password encrypt the store using a master pwd and then you can keep the store (the “vault”) in say dropbox (whoops I mean “the cloud”) and if your db account gets hacked, it doesn’t matter. But Chrome doesn’t use a master pwd; they explain in one of the links why it would be pointless.
Firefox offers a similar facility for syncing logins across browsers, so you could find out how they did it.
Use more than one app, it spreads the risk.
Unless they just happen to hit an important one 
Take a look at Keepass (original, not clones), it address many problems we addressed.
Not unless you can meet all three requirements I listed. Until then, it is just another executable sitting on a server of whose security you know nuffink.
2FA does NOT provide much extra security, may be it provides no extra security at all.
Can you give an example? Sure you can defeat it with “social engineering”.
In practice, say you are sending 50k to a builder, to bank details he emailed you, you would first send him 100 quid and call him (on a number on his website / one you used previously) to check he got it, or ask him face to face. Those who don’t do this step are gonna get severely burnt, eventually, and there is absolutely no defence. At work we do this with all new chinese suppliers, because their IT security is usually minus zero, and would do it with anybody if a large sum was involved.
My banks all use name/ account number verification before processing online domestic transfers. To access the accounts online I must verify the login via an app which requires both fingerprint verification and PIN. Seems pretty secure to me.
That, however, means you are in effect carrying a secure physical token with you – your phone.
And you are still trusting the app. No way around that bit. The app could be harvesting your data and emailing it to china
The app generates an access code after being interrogated by the bank. I open the app with my finger print. Yes, I do trust it and my finger.
It is still possible to have a hacked app which captures your fingerprint (or merely fakes that it saw a good one) and authorises a transfer which cleans out your bank account(s), with you being nowhere near and knowing nothing about it.
I know this is all very unlikely and theoretical. I am “just saying” that there isn’t an objectively safe solution to this challenge. You have to trust something. That is fine for transferring €x (where x is an amount you can afford to lose) but what if x was a lot bigger?
Banks normally reimburse straight fraud but they tend not to if they think the customer has been somehow complicit, and I think most attacks which involve social engineering will be in that category.
Yeah… physical tokens are hard to beat, so long as you don’t lose them. Implantation?
Is that one somehow special?
Currently, speaking of 2FA, the method described here is the biggest risk with SMS based 2FA. Anytime your phone goes inexplicably dead (but shows a strong signal) this is quite likely what somebody has done to you. You have to get onto your phone company right away. Quite hot the scammers achieve the rest of the login, is a good Q, and that’s true for not just raiding the bank account but also for raiding any password manager. A keylogger installed via a trojan?
2FA does NOT provide much extra security, may be it provides no extra security at all.
Yes it does if implemented correctly.
What would be the correct way?
Traditionally, the “physical token” is a mobile phone, but
The proper tokens store a PIN on a tamper-proof chip (no idea if phones have this but clearly it can be compromised unless the CPU is on the same chip, which in a phone it isn’t) but few people want to carry these tokens around.
In the UK there is a new regulation requiring a secure token for all business accounts, but not personal accounts.
Peter wrote:
Traditionally, the “physical token” is a mobile phone, but
Peter, last few jobs I had an Android App that was running the same logic as a fob.
You install it, it checks that the phone is unrooted and password protected, generates the device ID based on the phone S/N etc and then you register this ID with your company.
Then it just works like a fob – you enter your login, password and 30-sec PIN.
If it is lost, you call your employer and they cancel that ID.
And that way you don’t have to be within range for GSM to work like you need for texts sent back.
