> The other aspect that came out of Amos' investigation was that passwords.google.com seems to store your passwords in an encrypted from that uses your google login password. This allows anyone who knows your password – say, because Safari auto-filled it for you – to be able to decrypt your cloud passwords.
This up to the user, he has a choice. Google gives you the ability to use a separate password, one which Google will not remember for you, to encrypt all your Chrome-Sync data. This is your sync password. You can choose to let Google manage this for you, in which case it explicitly uses your Google password and Google could read all your sync data, or you can manage it by yourself ("Sync Passphrase"). If you switch between methods, all Sync-data (Bookmarks, Passwords, AutoFill, ...) is deleted.
This up to the user, he has a choice. Google gives you the ability to use a separate password, one which Google will not remember for you, to encrypt all your Chrome-Sync data. This is your sync password. You can choose to let Google manage this for you, in which case it explicitly uses your Google password and Google could read all your sync data, or you can manage it by yourself ("Sync Passphrase"). If you switch between methods, all Sync-data (Bookmarks, Passwords, AutoFill, ...) is deleted.