Slashdot Mirror
Google Working On Password Generator For Chrome
Trailrunner7 writes "Google is in the process of developing a tool to help users generate strong passwords for the various and sundry Web sites for which they need to register and authenticate. The password-generator is meant to serve as an interim solution for users while Google and other companies continue to work on widespread deployment of the OpenID standard. The tool Google engineers are working on is a fairly simple one. For people who are using the Chrome browser, whenever a site presents them with a field that requires creating a password, Chrome will display a small key icon, letting the users know that they could allow Chrome to generate a password for them."
http://xkcd.com/936/ Randall has it all sorted. Just use a whole lotta entropy.
I write professional videogame reviews! http://www.digitallydownloaded.net/
Its plugin is not quite seamless, but it works smoothly enough with Safari and Firefox. They're working on Chrome and Opera plugins, but they aren't there yet.
People should not fear their government. Governments should fear their people.
The problem I see is the increasing number of sites (eg. Sony's online game support sites) who "for security reasons" block browsers from auto-completing password fields. Which IMO actually decreases security, it increases the number of times a keylogger could see my password and it makes it harder to use high-difficulty (and difficult to remember) passwords.
You mean the Do Not Track list which is practically unenforceable? The one where the advertisers "do the right thing" and honor the users' request not to track them? Such an IRONCLAD defense against predatory advertisers should be the gold standard, shouldn't it?
"What do you want Google? The Key of Orthanc, or perhaps the keys of Barad-dûr itself, along with the crowns of the seven kings, and the rods of the five wizards?"
Remember - anyone who is anti-Google is a shill. They are probably being paid with MiKKKro$oft bloody money.
Hi, my name is Anonymous Coward and I'm the average Slashdot poster.
The interesting thing about OpenID is that the vast majority of people who use it, don't even know that they're using it. When I added support for OpenID 2.0 to my website, I found that the vast majority of takeup was from people who pushed the "Log in with Google" button. There's nothing special about that button, it just automatically fills in the known OpenID for Google. There are buttons for AOL/AIM and Yahoo too, as well as the "enter your own openid" of course, but the vast majority of people who use it, are going with Google.
So you can safely ignore the naysayers who claim OpenID is dead and there wasn't any takeup. It's huge, it just didn't take the form most people imagined.
Tired of FB/Google censorship? Visit UNCENSORED!
Lets take your argument to its logical conclusion - somewhere inside of Google's secret evil HQ in the base of a volcano, Sergei and Larry are laughing maniacally, "Now we can login as everyone because we will know their passwords! MWAHAHAHA!" as they stroke their evil kittens with eyepatches.
Or realistically, that google would login as people and impersonate their accounts.
You can have my tinfoil hat, you need it more than me.
mov ah, 4ch
int 21h
I just don't get it. How will this help? It's not that people can't generate random paswords (see, here's one: !wef112SFAWffx9). It's just that they can't be bothered to even try to remember such things. People choose "1234" because they don't want to make the effort to remember long, complicated passwords. So what does this tool by google accomplish?
Now, the article is not clear about it, but I think there's gonna be a chrome-embedded tool to manage all passwords. While this is cool, kde and gnome already do it by default in ubuntu (and I assume in other distros that use them). I don't know about windows, but there should be one or two around. If there aren't (or if you really like chrome and wish to grant it control over your passwords), I just don't see how having a explorer-specific tool to manage passwords is a particularly good idea. A OS-wide password manager is much better, like the aforementioned kde and gnome implementations, because it works with whatever you're using, not just your choice of internet navigation software.
Here's an idea: make a piece of software that doesn't even try to create great random passwords that are very difficult to crack with a computer. Instead, make it create simple passwords that are just a string of dictionary words, easy to remember by a person, hard to guess by another person and, since it's a string of words (and not just the one), hard to crack with a computer.
There's no chance of it outside the rare gimmick, because the infrastructure isn't cost-effective and we have all been trained to fear the government by the biggest proponents of it, the ones who want it in your bedroom and vagina.
Let's take this argument to it's realisic conclusion - Google Chrome password lockin. What easy access to you web site, you better stick to using Chrome or else look forward to pen and paper copying 20 random characters, including numbers, letters, capitalisation and special chars, with different passwords for each and every site you connect to, get one char wrong and your stuck. Some like banks will definitely not email you a replacement password so that you can immediately reconnect.
Easy solution go with pass phrases they are easier to remember, words between 4 and 6 characters long, three words, that's 12 to 18 chars, those with mixed language capabilities have a slight advantage and only so "Googleveryobvious" and your done ;).
Chaos - everything, everywhere, everywhen
I wonder if it will involve giving the user random selections from Shakespeare.
These are posters claiming to be panicked because Google Chrome, into which they would type and save their passwords, is offering to generate them as well.
Hopefully someone tells them about Chromium.
Let's take this argument to it's realisic conclusion - Google Chrome password lockin. What easy access to you web site, you better stick to using Chrome or else look forward to pen and paper copying 20 random characters
A "realistic conclusion" given the zillions of search results for Chrome export passwords? Really?
Right cause the only thing google lets us get back in the form of our data from their services is EVERYTHING.
Name 1 thing bit of data that you've given to Google that they don't allow you to download them other than your ANONYMOUS search history.
You can't call it lock in when they give you a unencrypted well documented XML file with your data in it, moron. Thats what they do for all of their web services, you think they won't make an export feature for Chrome?
They don't need lock in. Instead of doing 'Lock In' they do 'Better than the competition' which is far more effective at retaining customers. You should look into it some time.
Of course, this new feature in order to be useful for lock in would have to diverge from the current feature of chrome that lets you look up previously stored passwords already.
Do you actually have any idea at all who or what you're talking about?
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
I am not Google's product. Google did not produce me. Hell, I'm even older than both of the founders!
I put mine in a text file and encrypt them with a PGP key that is not on my PC. That is my backup. I trust firefox well enough to let it store them but I don't trust them not to screw up and destroy them.
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
Actually, I wrote my own password generator that's based off the concept of generating nonsensical but reasonably easy to remember phrases.. http://mirror.digital-flux.com/files/dark12222000/BetterPasswordJar.zip
What's different from trusting the browser to store your passwords? All major browsers have been doing this for years. It's really not much different. If they wanted your passwords, they'd already have them (with or without storage.) This is about encouraging people to use different passwords for different sites. Yes, it is a security risk to trust your browser with your passwords. But I think using the same password for every site is a much bigger risk.
http://www.cyberciti.biz/faq/linux-random-password-generator/
This might work nicely for those with access to a UNIX/Linux machine...
liberare massarum ex ignorantia, clausa descendit molestie.
I have always been happy with a simple "head -c6 /dev/random | mimencode -". I always used that when generating passwords for my colleagues to servers I was responsible of.
Let's take this argument to it's realisic conclusion - Google Chrome password lockin. What easy access to you web site, you better stick to using Chrome or else look forward to pen and paper copying 20 random characters, including numbers, letters, capitalisation and special chars, with different passwords for each and every site you connect to
Ctrl C
Ctrl V.
"I've got more toys than Teruhisa Kitahara."
I can see there being some kind of lock-in, albeit not the one you are talking about.
Random password generation is useless on its own. I can't even remember 20 random alphanumeric characters and I have a good memory.
What is required when you do that is a password vault of some kind. Plenty of software available to do this for you. Chrome will already remember your passwords, but I can see them syncing that with your Google profile. They might already, I don't use Google for anything religiously.
That could be the lock-in. All of your passwords are stored in the "Cloud" with Google. However, I am sure they would provide a secure export adhering to some standards (theirs) that other vendors could read (after circumnavigating some documentation more fucking complicated than the plans for the Death Star). Sorry, I do API programming for some Google products and I find their documentation a little lacking in some places and not well organized.
My biggest issue is with Open ID. I will never, ever, participate in a system where you authenticate with a company where you are not the user, but the product. That's not security. Regardless of whether it is Google, having all that authentication in one spot is a bad idea. One password to rule them all, One password to bind them all, and in the darkness where you fucking lose it you get bent over by some sociopath in Russia who will own your ass and use it to pay for Vodka and teenage Russian hookers.
Unless, I am explicitly told by a client, after they ignore all my recommendations, will I integrate a centralized authentication scheme. Just poor security, but others will disagree I am sure....
Ohhhh, I almost forgot :)
YouTube API was offline for over 3 hours yesterday. Got a ton of emails about it and I looked at the response code coming back and it was ServiceUnavailable. No problems with our system, from what I could tell from the logs. Calls just started working again a few hours later with no code changes.
So if I do integrate Open ID, what guarantees do I have that the service will reasonably be available? How do I tell a user that the reason they can't authenticate is because one of the largest companies in the world has products in perpetual beta for free and I can't complain because it is free?
Do you think any user that complained yesterday believed Google was at fault or our system? Seriously, why even bother sending out a service impact notification that people might not even believe. With just a few hours I let them think it was just a spike in our load and it took longer than normal to upload.
He's also a fan of strategy games like Vega Strike and Transport Tycoon.
I like the cut of this guy's jib.
Moron, we are talking average users, where the numbers are, just like you the sub-100s'. The bulk, were corporate executives target their shenanigans. Plenty of solutions for smarter users in fact the majority of smarter users would not even bother with that feature. Retentive types that need every single thing clarified and defined, rather than most things not delineated are obviously regard the majority, the average.
Chaos - everything, everywhere, everywhen
You mean the Do Not Track list which is practically unenforceable?
As best I can tell "Do Not Track" headers in the browser are there for legal purposes. If we ever get the chance to sue for unauthorized tracking having the browser explicitly inform the tracker's website that they should not be tracking this user will probably be helpful in court. It may even be that the threat of such ends up being enough to make trackers obey the header.
But either way, it seems like an attempt to leverage the legal system for us little guys rather than a straight-forward engineering method of preventing tracking.
When information is power, privacy is freedom.
Does Google Chrome have a cryptographic-grade random number generator with a good source of enthropy? Javascript math.random() is known to be predictable. Has someone with respected crypto qualifications checked over the code and signed off on it?
Already Exists: http://passwordmaker.org/
Google Chrome: http://passwordmaker.org/Google_Chrome
I'd like to see a standard password database storage format. Yes, there are ways to generate and and store passwords, but usually, it is pretty difficult (and prone to leaks) to transfer the entries between one password program to another, especially on different devices.
For example, the best password storage on the iPhone would be 1Password since it uses a PIN (10 mistries == wipe), as well as the passphrase. Android, last time I checked, the app had far last functionality. KeePass is as close to a standard as one can get for multiplatform access, but good luck keeping all those in sync.
The solution close to an ideal likely would use private keys, such as what devices use, in combination with a good passphrase. This way, if someone gets ahold of the encrypted key material that might be sitting on Dropbox, the passphrase can't be brute forced because it would require decryption on a device that has been configured with that key storage.
Okay, say I have been using this feature on chrome for a while, and say the password is saved by chrome and it allows me to look it up. Now I want to switch to IE (for whatever reasons). Now for each of the websites I have to open chrome password manager and locate the right password, copy it and paste it in IE. This is labour intensive enough that, nobody would ever want to do it. That sounds like a lock-in to me (my definition of lock-in is the inability to easily switch to a competing service).
And about the childish torts (what are you, 13?), its you who needs a clue.
Name 1 thing bit of data that you've given to Google that they don't allow you to download them other than your ANONYMOUS search history.
Just so that you know, google does not allow you download non-anonymous search history either. I am usually logged in, when I perform a seach on google. Neither does google allow you download the search results you have visited (it does not even allow you view them I believe). Google does not allow me to download the list of websites I have visited and Google had noticed that I had visited it. It does not allow me to download the timestamps and IPs of my logins. I can go on and on, but you get my point. Google collect tons of information about me, which I dont get access to.
Google is the only holdout on Do Not Track. Every other major browser vendor has adopted.
Really?
Perhaps you should have Googled it before shooting your mouth off...
Google Releases “Do Not Track” Extension for Chrome
Google is announcing that they have released a “Do Not Track” extension for Chrome called Keep My Opt-Outs that blocks advertisements that are based on browser history. It hasn’t been made mandatory by any governments yet, but it’s been clear that ever since the Wall Street Journal’s series on how advertisers track user information on the web that this was going to happen.
Already the Chrome team has been testing an experimental feature that allows you to block all new third party cookies from being set. These pieces of information can travel with you and record information about your habits on the web. They are also useful for saving other information such as preferences and login information, but the marketing opportunities that can be taken advantage of with cookies is enough to make some people want to turn them off.
This extension solves that, as Google believes this is the correct way to ward of ad tracking.
http://www.thechromesource.com/google-releases-do-not-track-extension-for-chrome/
"I've got more toys than Teruhisa Kitahara."
Google refuses to release the Chrome source code for no real reason. And no, Chromium and Chrome are not the same thing. Given all their recent privacy fuck ups I won't touch any Google-branded piece of software (or service for that matter) with a 10ft pole.
--
Marcan, asshole and proud.
Higlight Middle click ;)
Excuse me, but please get off my Pennisetum Clandestinum, eh!
"If you have something you want to keep secret, maybe you shouldn't be doing it" - go ahead and generate my passwords for me!
Anyone who cares about having different passwords for different sites will already be using a password database manager such as KeePass. Most password database managers also have random password generators. This is Google's solution in search of a problem.
Lets take your argument to its logical conclusion - somewhere inside of Google's secret evil HQ in the base of a volcano, Sergei and Larry are laughing maniacally, "Now we can login as everyone because we will know their passwords! MWAHAHAHA!" as they stroke their evil kittens with eyepatches.
Or realistically, that google would login as people and impersonate their accounts.
You can have my tinfoil hat, you need it more than me.
meow... that eye patch tickles ya know
Andy Warhol got it right / Everybody gets the limelight
Andy Warhol got it wrong / Fifteen minutes is too long.
Undoing my mods...
KeePass is as close to a standard as one can get for multiplatform access, but good luck keeping all those in sync.
Combine it with Dropbox. I open my passwords on Linux, my Android phone, and Windows. I could also do the same when switching to an iPhone.
They all access the same database, all changes synced in seconds. Each package apart is not a standard, but the combination Dropbox/Keepass is rapidly becoming the default in my professional circles. And with Crashplan doing encrypted backups, i figure I'm pretty safe.
Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
OpenID wasn't created by nor owned by google. It was created by LiveJournal and "run" by a bunch of different people/companies: yahoo, microsoft, symantec, paypal, facebook and so on. It has also been available for years before google jumped in. There are many ways to authenticate as well, not just single password logins.
Here is an official list of recommended providers: http://openid.net/get-an-openid/
http://soylentnews.org/~tibman
I can't download the history, but i can view it all here: https://www.google.com/history/
http://soylentnews.org/~tibman
And there is no Ironclad way to prevent tracking.
You would need to anonymize all webtraffic, remove features from browsers people actually use, make all browsers work exactly the same (which you can not or you will need to create a monopoly of one browser) and disobey the HTTP/1.1 RFC with things like the E-tag.
New things are always on the horizon
I like browserid, atleast when it gets out of the beta-stage (which it should in the coming months):
https://browserid.org/about
http://identity.mozilla.com/post/7616727542/introducing-browserid-a-better-way-to-sign-in
It is a quick and easy way to verify you are the owner of an email-address and an open specification.
Then Firefox will get it in the browser-UI, here is an old mockup:
https://wiki.mozilla.org/images/4/4c/IdentityInTheBrowser.png
Firefox still has about 25% of the market, if those users get an easy way to login to sites that should help with adoption.
New things are always on the horizon
And how secure is having only openid to login into every website? Now they only have to hack into your openid account to get onto all those different websites, making it much easier for the hackers.... yeah google i understand why you want everybody to use your openid, so you can track them even better....
Is it?
Shift-Insert
(+1, Disagree)
Excellent, except they'll show the passwords as images to prevent scary viruses from trying to scan the text.
As best I can tell "Do Not Track" headers in the browser are there for legal purposes.
Any idea how one proves in court that these headers have been actually sent in specific cases?
If Pandora's box is destined to be opened, *I* want to be the one to open it.
I'll stick with Firefox and the PwdHash
I always wonder why W3C didn't build password hashing into the HTML specification. It would not be the perfect solution, I know, but still it could have been a major improvement in online security.
If Pandora's box is destined to be opened, *I* want to be the one to open it.
firstly, it would be a good thing for Chrome to generate passwords, but I'd like to see it store them in a keepass DB file instead of holding it Chrome itself or on Google's servers.
Secondly, OpenID means you don't have to use Google as a provider. Seriously, what is with the 'one password to rule them' bullshit. Use MyOpenID or MyId or Verisign. Or implement your own provider and use that, then you can be the big bad nasty sociopath and volunteer your own ass for Russian hookers.
Come on here and post, but at least try to sound like you have more sense than an immature 14 year old.
Hi, my name is Anonymous Coward and I'm the average Slashdot poster.
Slashdot Anonymous meeting (in unison) : Hi, Anonymous Coward.
released a “Do Not Track” extension for Chrome called Keep My Opt-Outs that blocks advertisements that are based on browser history.
So it blocks the advertisers people have 'opted-out' from? What about all the sneaky bastards that users a)don't know about or b)don't provide an opt-out option?
Google isn't necessarily Evil, but it has proven itself untrustworthy. They are the ones who benefit most from tracking, so I'm going to vote with my browser and email provider choices. I'm not bashing Google, but these days their actions have overshadowed their motto of Do No Evil.
Lets take your argument to its logical conclusion ...
Chrome will probably use a set formula to generate passwords that are strong but easy to remember. If someone asks Chrome to generate a password using the same criteria used by the person who registered the account, will it generate the same password and help someone break in to the account? If they try it multiple times will it give them enough samples to help them narrow in on the password it generated for the original user?
Right...they have even done studies where they found they can uniquely identify a PC with a high degree of certainty using only the data that is available as part of the HTTP headers. Sure...they do not know your name or anything, but who needs to know a name when they can simply see your behavior and advertise accordingly?
you do know you can use an openID vendor that you pay as the customer right? Your bank could even become a vendor. So choose what ever OpenID vendor you like.
Don't use windows then... not that IE works very well but you can choose almost any other browser to run on Linux and at least there chrome will have saved your passwords in kwallet/gnomekeyringl. Using Linux also has other fringe security benefits, e.g. privproxy and what not.
Show that the browser's config file has the setting turned on.
I've got some sort of strong password chrome plugin already, I use it for everything. I just don't bother to write down the passwords.
The chances that I'll lose the randomly generated password in the time between when the cookie expires, and when I actually need to use the site* again is about 90%. If I think I'll come back to the site, I'll email myself the password, and if it's just a throwaway account (is there a better single word term for this yet?) I'll just use the password recovery if by some chance I need to login a second time. Hell, I've started using the password generator to pick usernames.
*Does not include sites that have financial info like the Bank, Ebay, Amazon, etc.
moox. for a new generation.
In a civil suit, the burden of evidence is 'the balance of probability'. If you can show that your browser sends the header if a particular setting is enabled and that you have enabled that setting, then the other party would have to show that it was not sent in a specific case, or provide some counter evidence. In a criminal case, the standard is 'beyond reasonable doubt', so they would just have to show that it was possible that it was not sent.
I am TheRaven on Soylent News
You have a SS number, right? Probably a debit and/or credit card as well?
YOU CAN BE TRACKED.... and you're worried about your "privacy" on your home computer? Open those window blinds so you can see the world for how it really is.
I do agree that everyone should get/expect personal privacy, but once you're on the web.... well, if someone wants to find out stuff about you, they will.
I'm pretty sure that Chrome on OS X uses the Keychain, so you can use the generated passwords from any other browser that does (i.e. Safari or Opera - I think FireFox can with an extension, but it defaults to reinventing the wheel). The Keychain can also generate passwords and tell you the strength of passwords, but for some reason Apple has not exposed this functionality in the browser.
I am TheRaven on Soylent News
Ok, but how do you show that the setting was not enabled _after_ the indictment? Or is there no such requirement?
If Pandora's box is destined to be opened, *I* want to be the one to open it.
OpenID doesn't solve the privacy problem that it allows you to easily track someone across sites. Without it, I can easily use a different username and password for every password. My browser already stores all of these, so login is pretty much a solved problem. No site can tell what my account is on another site (unless I'm stupid enough to use gravatar or similar). With OpenID, it is trivial to tie together two online identities.
A well-designed single sign on system would have an authentication server provide no more information than a value indicating that two consecutive authentication attempts are the same person. It should not be tied to something like an email address (at least on the site's side - that's fine on the authentication provider's side).
I am TheRaven on Soylent News
Great, now hackers has a single point of attack to lift passwords. Imagine hooking a function call to the generation plugin which sends every password and username back to the attacker....
Can I light a sig ?
I'd like to see a standard password database storage format
The storage format isn't the problem, it's the API. The OS X keychain provides a key-value store where each entry has an ACL tied to a particular version of a program. If you modify a program binary, you must reauthorise it. If I enter a password in Safari, Opera can only access it if I explicitly grant Opera permission for that password. How the passwords are stored is of secondary importance - the important part is that no program - especially not a web browser, which downloads and runs untrusted code - should be accessing the store directly.
I am TheRaven on Soylent News
A typical web site password of mine:
1jVzaVAy9Xhfoc_eok0V49ld-
My banking passwords are of course more controlled, with far more specialised systems enforcing password strength to exactly 6 digit numerical characters. Clearly date of birth is the state of the art in banking security.
Deleted
I'm just going to stick with my super advanced password generator.
Admit nothing. Deny Everything. Make Counter-accusations.
The extension does not seem to implement the DNT mechanism currently being defined at the W3C (which consists of special HTTP headers and JavaScript APIs).
As I said, the requirement is 'balance of probability'. You make the claim and provide evidence, the other side has to show that it is improbable. It's up to the judge or jury do then weigh the evidence and see which is more likely...
I am TheRaven on Soylent News
It should not be tied to something like an email address (at least on the site's side - that's fine on the authentication provider's side).
Say an online store lets you sign in using OpenID to track your order. Without an e-mail address, how is the site supposed to notify you that the order has shipped, or more importantly, that there is a problem that prevents the order from shipping?
But I think using the same password for every site is a much bigger risk.
In particular, when a vulnerable site exposes its database, like in e.g. the Gawker and Sony breaches, you normally end up with a large number of matched email addresses and passwords.
I don't know how many people there are that use the same password for their email account as they do for everything else, but I'm guessing it's most of them.
The OS X keychain provides a key-value store where each entry has an ACL tied to a particular version of a program. If you modify a program binary, you must reauthorise it.
That's to keep viruses from infecting a program and gaining access to its key-value store. But a virus can't infect a signed program without invalidating the signature. I've read that Keychain ACLs transfer to future versions of the same program as long as both versions are provably by the same author, that is, they were signed with the same (self-signed) certificate.
And no, Chromium and Chrome are not the same thing.
I've got Chromium Browser installed on my Xubuntu laptop. What's the noticeable feature difference, apart from the built-in SWF player and PDF reader?
Digest authentication is part of HTTP.
That's why I use my Ubuntu account instead of my Google account when I want to log in somewhere with OpenID. Is Canonical likely to track me and do evil things with the information?
I am the web developer and server administrator for such an online shop, and I get a lot of shipping notification e-mails bounced as undeliverable because people mistype their address. It has got to the point where Comcast has started to assume our legitimate shipping notification e-mails are spam. I imagine that if someone has successfully logged into OpenID, that's a stronger guarantee that the address can actually receive mail.
i'd love to see those passwords beings managed by google authenticator ,
My problem with this is that using a passphrase in KeePass has to be short enough to type in when there is an emergency (say I need to log onto a machine as root because it can't connect to LDAP, and decided to not let anyone in), but long enough to deter brute force cracking.
This is why I like having another mechanism of security that isn't a password. The ideal would be a TrueCrypt container with the keyfile stored on devices. This way, if someone compromised the Dropbox account, there is no amount of password guessing that would yield them the stored passwords.
A well thought out 20+ character passphrase is good security, however, I don't like the fact that it likely is the only thing that is keeping some of the most secret data I have out of the hands of an intruder. Having another form of security such as keyfiles gives peace of mind.
http://supergenpass.com/ It's hella easy to use. Portable and device/application independent. Been using it for quite awhile. Every site has a unique password based on a passphrase. You can have as many passphrases as you can remember. I tend to use a different passphrase based on the type of site. It's pretty cool since I don't technically know the password to any site. So even I can't be compromised.
I was astonished when websites started asking for your login credentials for *other* websites in order to scrape your contact info.
The continued erosion of privacy is starting to look like the proverbial frog being boiled alive.
Google would love to have the Facebook and Linkedin social graphs. It seems credible that they would use your credentials to scrape your portion of the graph.
Of course they would put this in their next privacy policy, in suitably nice language, which would cause minor discomfort going down.
So I'm curious why you find the idea ridiculous. Do you not agree that Google desperately wants this data? Or do you think they have some ethical barrier to acquiring it?
Sorry bonch, but I'll stick with PassKeeper 1 as it's trully cross platform. Another reason and the most important one, is that I don't feel that the browser should ever generate my pw's for me. What happens if someone figures a compromise for the browser and am able to steal all the pw's you've generated? I do agree on not trusting Google in this case and in fact that was the first thing I thought of. Is the actual PW generation being done in a secure way on my system or is it being done using Google's servers; with Google then having a copy of all of my secure PW's? It all falls back to the reason I prefer using a seperate PW app such as PassKeeper and that I use the 1.0 version as it's not dependent on dotnet as the 2.0 tree is.
Mod me up/Mod me down: I wont frown as I've no crown
nothing will solve your issues with privacy because HTTP headers can be used to uniquely identify your PC with a high enough certainty that even in a world of blurmany (Germany has crazy privacy laws), the advertisers can still track your behavior and know when you are on a site and advertise accordingly....that even works in a private session because it is based on the HTTP protocol.
My Bad for replying to myself
I do agree bonch and yes, the first question I had was just how does Google gauranty to me that the PW generation is being done in a secure way on my system and not theirs? The other issue is what happens when someone figures out a flaw in the PW generator and are then able to easily crack all of the PW's generated by everyone using this method? We've already seen it happen - Remember the Debian SSH key screwup?
As to trusting the browser, I really don't as far as retaining my passwords that's what a password safe is for because if someone compromises the pw.db you're screwed-blued and tatooed, which is why I use a PW safe. They have to figure out what app I'm using then compromise it before stealling all of my pw's.
Mod me up/Mod me down: I wont frown as I've no crown
Bonch(etc)=Richard Stallman???
;-)
soylentnews.org Go there to enjoy the people!
I'd have thought Google would be better spending their time adding a facility to protect passwords the user has chosen Chrome to remember.
The fact Chrome has no native password manager "master password" facility cf Firefox is, for me, a deal-breaker.
Why have a strong password generator, then allow the user to save them where the next user of the browser can easily access them?
Just my $0.02
It would be easier to have the DNC tag and levy a $10,000 fine for each violation. If you want the government to leave a puddle like an excited poodle on it's way to it's now overflowing food dish in it's mad dash to help you. Craft the law so you get $1000 and they get $9000 PER violation.
I'd like lower taxes and bankrupt assholes.
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
The biggest issue I have with all of these solutions, 1Password, LastPass, KeePass, the OS X Keychain, browsers storing passwords, et al, is that they basically just all store all of your passwords in their own custom ways, often on remote stores beyond your control, while leaving you with the mess of creating the passwords and keeping them "in-sync" between all of your devices. What if you're not behind your laptop? How do you log into your email?
Thought I'd mention Master Password which aims to address this issue by letting you remember a single master password (which you already do for each of these solutions anyway) and then calculating your password for a given site from it. The algorithm is completely offline, uses no inputs other than those remembered by the user and others documented by the algorithm, and the output will pass most any of those pesky "password policies".
It basically means all you need is a calculator and your password to get access to any of your sites. And if you loose your device, no data lost and you've got your identity back just by picking up any other device.
The actual app is currently in beta and only for iOS, but the algorithm is fully documented for anyone to reproduce and a Mac version is already planned.
``OK, so ten out of ten for style, but minus several million for good thinking, yeah?''
Not only does it not actually conform to DNT, it's an extension that doesn't ship with the browser. The majority of users will never use it and aren't even aware it exists. Why doesn't Google include the functionality by default? You successfully got him modded down by Google fans, but it doesn't change the facts.
Yes, really.
I was already aware of it (it was covered on Slashdot when it was released). It's a non-standard extension that doesn't ship with the browser. All other major browser vendors ship with DNT functionality built in. Google is separating it from Chrome in the hopes that most people will never be aware of it, never seek it out, and therefore never use it.
I repeat, Google is the only major browser vendor not to adopt DNT. Mod me down all you want--that's the truth of the situation.
- bonch
Having trouble with your passwords? I would be glad to help you.. (google speaking avatar) Oh, Thank you gOOGLE. tHEY just passed my front door again.
So do what I do. Have KeePass use a key file that you carry around on a flashdrive. The database is synced to my dropbox, but needing a token that never is more than a foot or two away from me is good enough for me.
It's been a long time since I read cypherpunks and I still feel I'm a noob at crypto. Smart cards do the encryption/decryption in such a way as to not reveal the key even to snoopers.
I want to secure my home/laptop system so that I can use a smartcard to log on with a pin pad built into the card or one I carry. I think this is something I can set up.
I'd like to be able to use a computer that may have compromised hardware to be able to connect to a PC I control and do my transactions using that. Again I'd like to use the smart card to handle the security. I accept that compromised hardware could prevent this but if it was just snooping I would not care. I could most likely do this if I could boot to a USB stick and use the smartcard but would like to find out if I could do it on a system I did not have admin rights and could not boot on a USB stick. I would of course need to be able to use the USB ports. If there is a method to hide keystrokes and mouse use that would be a bonus.
I'd like to use the smartcard be the tool that either stores or unlocks passwords for websites requiring passwords. A quick check says that is possible. I'm not suggesting all websites have my public key for authentication since if it's compromised it's the same as having one password for all of them.
I'm slowly reading up on that subject. I cannot find a card with a pin pad to unlock it but I'm ok with a just a card that needs or is setup to require a pin. I cannot find a usb reader with pin pad that's small. I will get a larger one if the price is right.
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
Really? Given google's track record (see http://www.dataliberation.org/ ) you will probably be able to export it as a comma-delimited file or some other standard format. Of course, IE probably won't have a way to import that, but that's hardly google's problem.
Many things about google are scary, but lock-in? The world has enough real problems, no need to make up fake ones!
What's different from trusting the browser to store your passwords?
Nothing, both are insecure. You really should not store your passwords in the browser if you care for security. Use an external password manager you trust. I have written one for myself but there are also good open source password managers.
dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64
The site that allows you to get opt out cookies for over a hundred of behavior targeting advertising networks has been around for many years, and was actually created by those networks - www.networkadvertising.org.
Opt out now and don't forget to visit this site every time you re-install OS or clear cookies.
It works like a charm, you don't need a separate plugin for every network you aware of... there are hundreds of the ones you never even heard of yet seeing their custom tailored ads every day.