> here’s a strange little story that happened to me a while ago – I set up a gmail account to deal with nigerian letters and such (I wanted to collect some data to report the spammers/thieves, without compromising my actual e-mail address in the process). I set this up with a fake username (something like george.thompson or so) and a password which included the word “nigeria” in it. Lo and behold, after my first login (before sending/receiving any mail) the targeted advertising in gmail included some nigerian ads (nigerian holidays, nigerian business bureau, etc). coincidence?….
If true, it seems they matched ads to the guy's password. Which means they needed to be able to read it plain text. The plain text should only ever live long enough to create or match with a hash.
I think the experiment would only be illustrative if the computer had zero past Internet use (ie no cookies) and the ip address was brand new. Surely google tracks even if you don't have an account.
> here’s a strange little story that happened to me a while ago – I set up a gmail account to deal with nigerian letters and such (I wanted to collect some data to report the spammers/thieves, without compromising my actual e-mail address in the process). I set this up with a fake username (something like george.thompson or so) and a password which included the word “nigeria” in it. Lo and behold, after my first login (before sending/receiving any mail) the targeted advertising in gmail included some nigerian ads (nigerian holidays, nigerian business bureau, etc). coincidence?….
If true, it seems they matched ads to the guy's password. Which means they needed to be able to read it plain text. The plain text should only ever live long enough to create or match with a hash.