Google Working On Password Generator For Chrome

Trailrunner7 writes "Google is in the process of developing a tool to help users generate strong passwords for the various and sundry Web sites for which they need to register and authenticate. The password-generator is meant to serve as an interim solution for users while Google and other companies continue to work on widespread deployment of the OpenID standard. The tool Google engineers are working on is a fairly simple one. For people who are using the Chrome browser, whenever a site presents them with a field that requires creating a password, Chrome will display a small key icon, letting the users know that they could allow Chrome to generate a password for them."

What could go wrong?

[bonch]

Let's trust an ad-serving company with a track record of intentional privacy violations and a publicly hostile attitude toward privacy rights to generate our passwords for us.

Ever wondered why Chrome bundled Flash despite dropping H.264 in the name of openness? Advertiser Flash cookies. Chrome is also the last major browser not to support the Do Not Track privacy feature. Google wants access to all your data because you are their product, and advertisers are their users.

Of course, trolls will probably accuse me of being a shill again, even though the facts are staring everyone in the face. I'll stick with Firefox and the PwdHash addon for secure password generation, thanks.

Re:What could go wrong?

Of course, trolls will probably accuse me of being a shill again, even though the facts are staring everyone in the face.

No need.

If anyone's uncertain, just check the posting history of the sockpuppets below and draw your own conclusions.

DavidSell
ByOhTek
antitithenai
Bonch
TechGuys
Overly Critical Guy
CmdrPony
InsightIn140Bytes
InterestingFella
SharkLaser
jo_ham
DCTech
smithz
HankMoody

Re:What could go wrong?

[Aerorae]

You mean the Do Not Track list which is practically unenforceable? The one where the advertisers "do the right thing" and honor the users' request not to track them? Such an IRONCLAD defense against predatory advertisers should be the gold standard, shouldn't it?

Re:What could go wrong?

Remember - anyone who is anti-Google is a shill. They are probably being paid with MiKKKro$oft bloody money.

Hi, my name is Anonymous Coward and I'm the average Slashdot poster.

Re:What could go wrong?

[liquidweaver]

Lets take your argument to its logical conclusion - somewhere inside of Google's secret evil HQ in the base of a volcano, Sergei and Larry are laughing maniacally, "Now we can login as everyone because we will know their passwords! MWAHAHAHA!" as they stroke their evil kittens with eyepatches.

Or realistically, that google would login as people and impersonate their accounts.

You can have my tinfoil hat, you need it more than me.

Re:What could go wrong?

[bonch]

The Robots Exclusion (robots.txt) is also an honor system. Google is the only holdout on Do Not Track. Every other major browser vendor has adopted. Google also happens to financially benefit from there being no Do Not Track. Makes you think, doesn't it?

Re:What could go wrong?

[bonch]

It's not about evil intentions. It's about Google's track record of privacy "accidents" and a general lack of respect for privacy rights. Would you trust Microsoft antispyware software? No, because Microsoft's track record is pretty shitty in that regard. So why should you trust Google to generate your passwords, one of the most private pieces of data you own?

Re:What could go wrong?

[rtb61]

Let's take this argument to it's realisic conclusion - Google Chrome password lockin. What easy access to you web site, you better stick to using Chrome or else look forward to pen and paper copying 20 random characters, including numbers, letters, capitalisation and special chars, with different passwords for each and every site you connect to, get one char wrong and your stuck. Some like banks will definitely not email you a replacement password so that you can immediately reconnect.

Easy solution go with pass phrases they are easier to remember, words between 4 and 6 characters long, three words, that's 12 to 18 chars, those with mixed language capabilities have a slight advantage and only so "Googleveryobvious" and your done ;).

Re:What could go wrong?

These are posters claiming to be panicked because Google Chrome, into which they would type and save their passwords, is offering to generate them as well.

Hopefully someone tells them about Chromium.

Re:What could go wrong?

Let's take this argument to it's realisic conclusion - Google Chrome password lockin. What easy access to you web site, you better stick to using Chrome or else look forward to pen and paper copying 20 random characters

A "realistic conclusion" given the zillions of search results for Chrome export passwords? Really?

Re:What could go wrong?

[BitZtream]

Right cause the only thing google lets us get back in the form of our data from their services is EVERYTHING.

Name 1 thing bit of data that you've given to Google that they don't allow you to download them other than your ANONYMOUS search history.

You can't call it lock in when they give you a unencrypted well documented XML file with your data in it, moron. Thats what they do for all of their web services, you think they won't make an export feature for Chrome?

They don't need lock in. Instead of doing 'Lock In' they do 'Better than the competition' which is far more effective at retaining customers. You should look into it some time.

Of course, this new feature in order to be useful for lock in would have to diverge from the current feature of chrome that lets you look up previously stored passwords already.

Do you actually have any idea at all who or what you're talking about?

Re:What could go wrong?

[MisterMidi]

I am not Google's product. Google did not produce me. Hell, I'm even older than both of the founders!

Re:What could go wrong?

[mrmeval]

I put mine in a text file and encrypt them with a PGP key that is not on my PC. That is my backup. I trust firefox well enough to let it store them but I don't trust them not to screw up and destroy them.

Re:What could go wrong?

[MisterMidi]

What's different from trusting the browser to store your passwords? All major browsers have been doing this for years. It's really not much different. If they wanted your passwords, they'd already have them (with or without storage.) This is about encouraging people to use different passwords for different sites. Yes, it is a security risk to trust your browser with your passwords. But I think using the same password for every site is a much bigger risk.

Re:What could go wrong?

[ozmanjusri]

Let's take this argument to it's realisic conclusion - Google Chrome password lockin. What easy access to you web site, you better stick to using Chrome or else look forward to pen and paper copying 20 random characters, including numbers, letters, capitalisation and special chars, with different passwords for each and every site you connect to

Ctrl C
Ctrl V.

Re:What could go wrong?

[EdIII]

I can see there being some kind of lock-in, albeit not the one you are talking about.

Random password generation is useless on its own. I can't even remember 20 random alphanumeric characters and I have a good memory.

What is required when you do that is a password vault of some kind. Plenty of software available to do this for you. Chrome will already remember your passwords, but I can see them syncing that with your Google profile. They might already, I don't use Google for anything religiously.

That could be the lock-in. All of your passwords are stored in the "Cloud" with Google. However, I am sure they would provide a secure export adhering to some standards (theirs) that other vendors could read (after circumnavigating some documentation more fucking complicated than the plans for the Death Star). Sorry, I do API programming for some Google products and I find their documentation a little lacking in some places and not well organized.

My biggest issue is with Open ID. I will never, ever, participate in a system where you authenticate with a company where you are not the user, but the product. That's not security. Regardless of whether it is Google, having all that authentication in one spot is a bad idea. One password to rule them all, One password to bind them all, and in the darkness where you fucking lose it you get bent over by some sociopath in Russia who will own your ass and use it to pay for Vodka and teenage Russian hookers.

Unless, I am explicitly told by a client, after they ignore all my recommendations, will I integrate a centralized authentication scheme. Just poor security, but others will disagree I am sure....

Ohhhh, I almost forgot :)

YouTube API was offline for over 3 hours yesterday. Got a ton of emails about it and I looked at the response code coming back and it was ServiceUnavailable. No problems with our system, from what I could tell from the logs. Calls just started working again a few hours later with no code changes.

So if I do integrate Open ID, what guarantees do I have that the service will reasonably be available? How do I tell a user that the reason they can't authenticate is because one of the largest companies in the world has products in perpetual beta for free and I can't complain because it is free?

Do you think any user that complained yesterday believed Google was at fault or our system? Seriously, why even bother sending out a service impact notification that people might not even believe. With just a few hours I let them think it was just a spike in our load and it took longer than normal to upload.

Re:What could go wrong?

[rtb61]

Moron, we are talking average users, where the numbers are, just like you the sub-100s'. The bulk, were corporate executives target their shenanigans. Plenty of solutions for smarter users in fact the majority of smarter users would not even bother with that feature. Retentive types that need every single thing clarified and defined, rather than most things not delineated are obviously regard the majority, the average.

Re:What could go wrong?

[Jah-Wren+Ryel]

You mean the Do Not Track list which is practically unenforceable?

As best I can tell "Do Not Track" headers in the browser are there for legal purposes. If we ever get the chance to sue for unauthorized tracking having the browser explicitly inform the tracker's website that they should not be tracking this user will probably be helpful in court. It may even be that the threat of such ends up being enough to make trackers obey the header.

But either way, it seems like an attempt to leverage the legal system for us little guys rather than a straight-forward engineering method of preventing tracking.

Re:What could go wrong?

[Dunega]

BOOGA BOOGA BOOGA, the great evil Google is going to invade your mind and steal all of your secrets. Good god, get a grip.

Re:What could go wrong?

[mlts]

I'd like to see a standard password database storage format. Yes, there are ways to generate and and store passwords, but usually, it is pretty difficult (and prone to leaks) to transfer the entries between one password program to another, especially on different devices.

For example, the best password storage on the iPhone would be 1Password since it uses a PIN (10 mistries == wipe), as well as the passphrase. Android, last time I checked, the app had far last functionality. KeePass is as close to a standard as one can get for multiplatform access, but good luck keeping all those in sync.

The solution close to an ideal likely would use private keys, such as what devices use, in combination with a good passphrase. This way, if someone gets ahold of the encrypted key material that might be sitting on Dropbox, the passphrase can't be brute forced because it would require decryption on a device that has been configured with that key storage.

Re:What could go wrong?

[ThatsMyNick]

Okay, say I have been using this feature on chrome for a while, and say the password is saved by chrome and it allows me to look it up. Now I want to switch to IE (for whatever reasons). Now for each of the websites I have to open chrome password manager and locate the right password, copy it and paste it in IE. This is labour intensive enough that, nobody would ever want to do it. That sounds like a lock-in to me (my definition of lock-in is the inability to easily switch to a competing service).

And about the childish torts (what are you, 13?), its you who needs a clue.

Re:What could go wrong?

[ThatsMyNick]

Name 1 thing bit of data that you've given to Google that they don't allow you to download them other than your ANONYMOUS search history.

Just so that you know, google does not allow you download non-anonymous search history either. I am usually logged in, when I perform a seach on google. Neither does google allow you download the search results you have visited (it does not even allow you view them I believe). Google does not allow me to download the list of websites I have visited and Google had noticed that I had visited it. It does not allow me to download the timestamps and IPs of my logins. I can go on and on, but you get my point. Google collect tons of information about me, which I dont get access to.

Re:What could go wrong?

[ozmanjusri]

Google is the only holdout on Do Not Track. Every other major browser vendor has adopted.

Really?

Perhaps you should have Googled it before shooting your mouth off...

Google Releases “Do Not Track” Extension for Chrome
Google is announcing that they have released a “Do Not Track” extension for Chrome called Keep My Opt-Outs that blocks advertisements that are based on browser history. It hasn’t been made mandatory by any governments yet, but it’s been clear that ever since the Wall Street Journal’s series on how advertisers track user information on the web that this was going to happen.
Already the Chrome team has been testing an experimental feature that allows you to block all new third party cookies from being set. These pieces of information can travel with you and record information about your habits on the web. They are also useful for saving other information such as preferences and login information, but the marketing opportunities that can be taken advantage of with cookies is enough to make some people want to turn them off.
This extension solves that, as Google believes this is the correct way to ward of ad tracking.

http://www.thechromesource.com/google-releases-do-not-track-extension-for-chrome/

Re:What could go wrong?

Google refuses to release the Chrome source code for no real reason. And no, Chromium and Chrome are not the same thing. Given all their recent privacy fuck ups I won't touch any Google-branded piece of software (or service for that matter) with a 10ft pole.

--
Marcan, asshole and proud.

Re:What could go wrong?

[flyingfsck]

Higlight Middle click ;)

Re:What could go wrong?

[poetmatt]

We know you're a shill dude.

Why even try to deny it? Why do you even bother first posting.

You are so fast to shit on google that I sincerely wish upon you cancer.

Where was an actual violation? Not "we're concerned"? Not "this is not a good thing"? I'm legitimately interested because you have no fucking answer.

Re:What could go wrong?

[Enter+the+Shoggoth]

Lets take your argument to its logical conclusion - somewhere inside of Google's secret evil HQ in the base of a volcano, Sergei and Larry are laughing maniacally, "Now we can login as everyone because we will know their passwords! MWAHAHAHA!" as they stroke their evil kittens with eyepatches.

Or realistically, that google would login as people and impersonate their accounts.

You can have my tinfoil hat, you need it more than me.

meow... that eye patch tickles ya know

Re:What could go wrong?

[St.Creed]

Undoing my mods...

KeePass is as close to a standard as one can get for multiplatform access, but good luck keeping all those in sync.

Combine it with Dropbox. I open my passwords on Linux, my Android phone, and Windows. I could also do the same when switching to an iPhone.

They all access the same database, all changes synced in seconds. Each package apart is not a standard, but the combination Dropbox/Keepass is rapidly becoming the default in my professional circles. And with Crashplan doing encrypted backups, i figure I'm pretty safe.

Re:What could go wrong?

[tibman]

OpenID wasn't created by nor owned by google. It was created by LiveJournal and "run" by a bunch of different people/companies: yahoo, microsoft, symantec, paypal, facebook and so on. It has also been available for years before google jumped in. There are many ways to authenticate as well, not just single password logins.

Here is an official list of recommended providers: http://openid.net/get-an-openid/

Re:What could go wrong?

[tibman]

I can't download the history, but i can view it all here: https://www.google.com/history/

Re:What could go wrong?

[Lennie]

And there is no Ironclad way to prevent tracking.

You would need to anonymize all webtraffic, remove features from browsers people actually use, make all browsers work exactly the same (which you can not or you will need to create a monopoly of one browser) and disobey the HTTP/1.1 RFC with things like the E-tag.

Re:What could go wrong?

[Lennie]

I like browserid, atleast when it gets out of the beta-stage (which it should in the coming months):

https://browserid.org/about
http://identity.mozilla.com/post/7616727542/introducing-browserid-a-better-way-to-sign-in

It is a quick and easy way to verify you are the owner of an email-address and an open specification.

Then Firefox will get it in the browser-UI, here is an old mockup:

https://wiki.mozilla.org/images/4/4c/IdentityInTheBrowser.png

Firefox still has about 25% of the market, if those users get an easy way to login to sites that should help with adoption.

Re:What could go wrong?

[Shoe+Puppet]

Shift-Insert

Re:What could go wrong?

Excellent, except they'll show the passwords as images to prevent scary viruses from trying to scan the text.

Re:What could go wrong?

[StripedCow]

As best I can tell "Do Not Track" headers in the browser are there for legal purposes.

Any idea how one proves in court that these headers have been actually sent in specific cases?

Re:What could go wrong?

[StripedCow]

I'll stick with Firefox and the PwdHash

I always wonder why W3C didn't build password hashing into the HTML specification. It would not be the perfect solution, I know, but still it could have been a major improvement in online security.

Re:What could go wrong?

[gbjbaanb]

firstly, it would be a good thing for Chrome to generate passwords, but I'd like to see it store them in a keepass DB file instead of holding it Chrome itself or on Google's servers.

Secondly, OpenID means you don't have to use Google as a provider. Seriously, what is with the 'one password to rule them' bullshit. Use MyOpenID or MyId or Verisign. Or implement your own provider and use that, then you can be the big bad nasty sociopath and volunteer your own ass for Russian hookers.

Come on here and post, but at least try to sound like you have more sense than an immature 14 year old.

Re:What could go wrong?

[WrongSizeGlass]

Hi, my name is Anonymous Coward and I'm the average Slashdot poster.

Slashdot Anonymous meeting (in unison) : Hi, Anonymous Coward.

Re:What could go wrong?

[WrongSizeGlass]

Just an extension? Not core functionality? Meh.

released a “Do Not Track” extension for Chrome called Keep My Opt-Outs that blocks advertisements that are based on browser history.

So it blocks the advertisers people have 'opted-out' from? What about all the sneaky bastards that users a)don't know about or b)don't provide an opt-out option?

Google isn't necessarily Evil, but it has proven itself untrustworthy. They are the ones who benefit most from tracking, so I'm going to vote with my browser and email provider choices. I'm not bashing Google, but these days their actions have overshadowed their motto of Do No Evil.

Re:What could go wrong?

[WrongSizeGlass]

Lets take your argument to its logical conclusion ...

Chrome will probably use a set formula to generate passwords that are strong but easy to remember. If someone asks Chrome to generate a password using the same criteria used by the person who registered the account, will it generate the same password and help someone break in to the account? If they try it multiple times will it give them enough samples to help them narrow in on the password it generated for the original user?

Re:What could go wrong?

[modmans2ndcoming]

Right...they have even done studies where they found they can uniquely identify a PC with a high degree of certainty using only the data that is available as part of the HTTP headers. Sure...they do not know your name or anything, but who needs to know a name when they can simply see your behavior and advertise accordingly?

Re:What could go wrong?

[modmans2ndcoming]

you do know you can use an openID vendor that you pay as the customer right? Your bank could even become a vendor. So choose what ever OpenID vendor you like.

Re:What could go wrong?

Don't use windows then... not that IE works very well but you can choose almost any other browser to run on Linux and at least there chrome will have saved your passwords in kwallet/gnomekeyringl. Using Linux also has other fringe security benefits, e.g. privproxy and what not.

Re:What could go wrong?

Show that the browser's config file has the setting turned on.

Re:What could go wrong?

[Hadlock]

I've got some sort of strong password chrome plugin already, I use it for everything. I just don't bother to write down the passwords.
 
The chances that I'll lose the randomly generated password in the time between when the cookie expires, and when I actually need to use the site* again is about 90%. If I think I'll come back to the site, I'll email myself the password, and if it's just a throwaway account (is there a better single word term for this yet?) I'll just use the password recovery if by some chance I need to login a second time. Hell, I've started using the password generator to pick usernames.
 
  *Does not include sites that have financial info like the Bank, Ebay, Amazon, etc.

Re:What could go wrong?

[TheRaven64]

In a civil suit, the burden of evidence is 'the balance of probability'. If you can show that your browser sends the header if a particular setting is enabled and that you have enabled that setting, then the other party would have to show that it was not sent in a specific case, or provide some counter evidence. In a criminal case, the standard is 'beyond reasonable doubt', so they would just have to show that it was possible that it was not sent.

Re:What could go wrong?

You have a SS number, right? Probably a debit and/or credit card as well?

YOU CAN BE TRACKED.... and you're worried about your "privacy" on your home computer? Open those window blinds so you can see the world for how it really is.

I do agree that everyone should get/expect personal privacy, but once you're on the web.... well, if someone wants to find out stuff about you, they will.

Re:What could go wrong?

[TheRaven64]

I'm pretty sure that Chrome on OS X uses the Keychain, so you can use the generated passwords from any other browser that does (i.e. Safari or Opera - I think FireFox can with an extension, but it defaults to reinventing the wheel). The Keychain can also generate passwords and tell you the strength of passwords, but for some reason Apple has not exposed this functionality in the browser.

Re:What could go wrong?

[StripedCow]

Ok, but how do you show that the setting was not enabled _after_ the indictment? Or is there no such requirement?

Re:What could go wrong?

[TheRaven64]

OpenID doesn't solve the privacy problem that it allows you to easily track someone across sites. Without it, I can easily use a different username and password for every password. My browser already stores all of these, so login is pretty much a solved problem. No site can tell what my account is on another site (unless I'm stupid enough to use gravatar or similar). With OpenID, it is trivial to tie together two online identities.

A well-designed single sign on system would have an authentication server provide no more information than a value indicating that two consecutive authentication attempts are the same person. It should not be tied to something like an email address (at least on the site's side - that's fine on the authentication provider's side).

Re:What could go wrong?

[TheRaven64]

I'd like to see a standard password database storage format

The storage format isn't the problem, it's the API. The OS X keychain provides a key-value store where each entry has an ACL tied to a particular version of a program. If you modify a program binary, you must reauthorise it. If I enter a password in Safari, Opera can only access it if I explicitly grant Opera permission for that password. How the passwords are stored is of secondary importance - the important part is that no program - especially not a web browser, which downloads and runs untrusted code - should be accessing the store directly.

Re:What could go wrong?

[f3rret]

I'm just going to stick with my super advanced password generator.

Re:What could go wrong?

[TheRaven64]

As I said, the requirement is 'balance of probability'. You make the claim and provide evidence, the other side has to show that it is improbable. It's up to the judge or jury do then weigh the evidence and see which is more likely...

Re:What could go wrong?

But I think using the same password for every site is a much bigger risk.

In particular, when a vulnerable site exposes its database, like in e.g. the Gawker and Sony breaches, you normally end up with a large number of matched email addresses and passwords.
I don't know how many people there are that use the same password for their email account as they do for everything else, but I'm guessing it's most of them.

Re:What could go wrong?

[tepples]

And no, Chromium and Chrome are not the same thing.

I've got Chromium Browser installed on my Xubuntu laptop. What's the noticeable feature difference, apart from the built-in SWF player and PDF reader?

Re:What could go wrong?

My problem with this is that using a passphrase in KeePass has to be short enough to type in when there is an emergency (say I need to log onto a machine as root because it can't connect to LDAP, and decided to not let anyone in), but long enough to deter brute force cracking.

This is why I like having another mechanism of security that isn't a password. The ideal would be a TrueCrypt container with the keyfile stored on devices. This way, if someone compromised the Dropbox account, there is no amount of password guessing that would yield them the stored passwords.

A well thought out 20+ character passphrase is good security, however, I don't like the fact that it likely is the only thing that is keeping some of the most secret data I have out of the hands of an intruder. Having another form of security such as keyfiles gives peace of mind.

Re:What could go wrong?

[crucini]

I was astonished when websites started asking for your login credentials for *other* websites in order to scrape your contact info.

The continued erosion of privacy is starting to look like the proverbial frog being boiled alive.

Google would love to have the Facebook and Linkedin social graphs. It seems credible that they would use your credentials to scrape your portion of the graph.

Of course they would put this in their next privacy policy, in suitably nice language, which would cause minor discomfort going down.

So I'm curious why you find the idea ridiculous. Do you not agree that Google desperately wants this data? Or do you think they have some ethical barrier to acquiring it?

Re:What could go wrong?

[fast+turtle]

Sorry bonch, but I'll stick with PassKeeper 1 as it's trully cross platform. Another reason and the most important one, is that I don't feel that the browser should ever generate my pw's for me. What happens if someone figures a compromise for the browser and am able to steal all the pw's you've generated? I do agree on not trusting Google in this case and in fact that was the first thing I thought of. Is the actual PW generation being done in a secure way on my system or is it being done using Google's servers; with Google then having a copy of all of my secure PW's? It all falls back to the reason I prefer using a seperate PW app such as PassKeeper and that I use the 1.0 version as it's not dependent on dotnet as the 2.0 tree is.

Re:What could go wrong?

[modmans2ndcoming]

nothing will solve your issues with privacy because HTTP headers can be used to uniquely identify your PC with a high enough certainty that even in a world of blurmany (Germany has crazy privacy laws), the advertisers can still track your behavior and know when you are on a site and advertise accordingly....that even works in a private session because it is based on the HTTP protocol.

Re:What could go wrong?

[fast+turtle]

My Bad for replying to myself

I do agree bonch and yes, the first question I had was just how does Google gauranty to me that the PW generation is being done in a secure way on my system and not theirs? The other issue is what happens when someone figures out a flaw in the PW generator and are then able to easily crack all of the PW's generated by everyone using this method? We've already seen it happen - Remember the Debian SSH key screwup?

As to trusting the browser, I really don't as far as retaining my passwords that's what a password safe is for because if someone compromises the pw.db you're screwed-blued and tatooed, which is why I use a PW safe. They have to figure out what app I'm using then compromise it before stealling all of my pw's.

Re:What could go wrong?

[mcneely.mike]

Bonch(etc)=Richard Stallman???
;-)

Re:What could go wrong?

[mrmeval]

It would be easier to have the DNC tag and levy a $10,000 fine for each violation. If you want the government to leave a puddle like an excited poodle on it's way to it's now overflowing food dish in it's mad dash to help you. Craft the law so you get $1000 and they get $9000 PER violation.

I'd like lower taxes and bankrupt assholes.

Re:What could go wrong?

Really?

Yes, really.

Perhaps you should have Googled it before shooting your mouth off...

I was already aware of it (it was covered on Slashdot when it was released). It's a non-standard extension that doesn't ship with the browser. All other major browser vendors ship with DNT functionality built in. Google is separating it from Chrome in the hopes that most people will never be aware of it, never seek it out, and therefore never use it.

I repeat, Google is the only major browser vendor not to adopt DNT. Mod me down all you want--that's the truth of the situation.

- bonch

Re:What could go wrong?

So do what I do. Have KeePass use a key file that you carry around on a flashdrive. The database is synced to my dropbox, but needing a token that never is more than a foot or two away from me is good enough for me.

Re:What could go wrong?

[mrmeval]

It's been a long time since I read cypherpunks and I still feel I'm a noob at crypto. Smart cards do the encryption/decryption in such a way as to not reveal the key even to snoopers.

I want to secure my home/laptop system so that I can use a smartcard to log on with a pin pad built into the card or one I carry. I think this is something I can set up.

I'd like to be able to use a computer that may have compromised hardware to be able to connect to a PC I control and do my transactions using that. Again I'd like to use the smart card to handle the security. I accept that compromised hardware could prevent this but if it was just snooping I would not care. I could most likely do this if I could boot to a USB stick and use the smartcard but would like to find out if I could do it on a system I did not have admin rights and could not boot on a USB stick. I would of course need to be able to use the USB ports. If there is a method to hide keystrokes and mouse use that would be a bonus.

I'd like to use the smartcard be the tool that either stores or unlocks passwords for websites requiring passwords. A quick check says that is possible. I'm not suggesting all websites have my public key for authentication since if it's compromised it's the same as having one password for all of them.

I'm slowly reading up on that subject. I cannot find a card with a pin pad to unlock it but I'm ok with a just a card that needs or is setup to require a pin. I cannot find a usb reader with pin pad that's small. I will get a larger one if the price is right.

Re:What could go wrong?

[kqs]

Really? Given google's track record (see http://www.dataliberation.org/ ) you will probably be able to export it as a comma-delimited file or some other standard format. Of course, IE probably won't have a way to import that, but that's hardly google's problem.

Many things about google are scary, but lock-in? The world has enough real problems, no need to make up fake ones!

Re:What could go wrong?

[aaaaaaargh!]

What's different from trusting the browser to store your passwords?

Nothing, both are insecure. You really should not store your passwords in the browser if you care for security. Use an external password manager you trust. I have written one for myself but there are also good open source password managers.

Trolling campaign by GreatBunzinni, aka Rui Maciel

GreatBunzinni, real name Rui Maciel, has been using anonymous posts to accuse almost 20 accounts of being employed by a PR firm to astroturf Slashdot, without any evidence. Using multiple puppet accounts, he mods up these anonymous posts while modding down the target accounts in order to censor their viewpoints off of Slashdot. GreatBunzinni accidentally outed himself as the anonymous troll who has been posting these accusations to every Slashdot story. For example, he wrote the same post almost verbatim, first using his logged-in account followed by an anonymous post days later. Note the use of the same script and wording.

It turns out GreatBunzinni is actually a 31-year-old C++/Java programmer from Almada, Portugal named Rui Maciel, with a civil engineering degree from Instituto Superior Técnico and a hobby working with electronics. He runs Kubuntu and is active on the KDE mailing list. Rui Maciel has accounts at OSNews, Launchpad, ProgrammersHeaven, the Ubuntu forums, and of course Slashdot. While trolling Slashdot, he listens rock music like Motorhead, Fu Manchu, and Iron Maiden, but lately he's been on a big Jimi Hendrix kick, with some Bootsy Collins on the side (as you might have guessed, he has a Last.fm account). He's also a fan of strategy games like Vega Strike and Transport Tycoon.

Most of the users Rui targets have done nothing more than commit the sin of praising competitors to Google or other Linux-based products at some point in the past. Some of them are subscribers who often get the first post, since subscribers see stories earlier than non-subscribers. After one of Rui's accusations is posted as a reply, the original post receives a surge of "Troll" and "Overrated" moderations from his puppet accounts, while the accusatory post gets modded up. Often, additional anonymous posters suddenly pop up to give support, which also receive upmods. At the same time, accused users who defend themselves are modded down as "Offtopic."

Rui Maciel's contact information
Email: greatbunzinni@gmail.com, greatbunzinni@engineer.com, or rui.maciel@gmail.com
IM: greatbunzinni@jabber.org (the same Jabber account currently listed on his Slashdot account)
Blog: http://rui_maciel.users.sourceforge.net/
Programming projects: ProgrammersHeaven page

Known puppet accounts used by Rui Maciel
Galestar
NicknameOne
Nicknamename
Nerdfest
chrb
flurp
forkfail
psiclops

tl;dr: An Ubuntu fan named Rui Maciel is actively trolling Slashdot with multiple moderator accounts in an attempt to filter dissenting opinions off the site.

xkcd

[Zaldarr]

http://xkcd.com/936/ Randall has it all sorted. Just use a whole lotta entropy.

Re:xkcd

This is one case where Randall got it completely wrong. His example will fail rather quickly to a dictionary attack, and as such, his estimates of entropy are way off.

Re:xkcd

[Mashiki]

It works, and works well. My SSID login is 27 characters and I can remember it without a problem. My secondary password after I use my RSA token? Usually 3 tries before I remember because we have a password policy of upper/lower case mixed with alpha-numerics, which must be between 8 and 30 characters in length. We change these every 18 days.

Brain...hurts...especially for someone with very poor short and medium term memory problems. Of course it's an automatic disciplinary issue if you write any of this down. Yeah gonna go over here and just keep epic face palming over it. One of these days, they'll figure it out.

Re:xkcd

If you can crack the one I use for my laptop, you can have the laptop.

You have to be smart about these things and implement them in a sane manner, and companies have been encouraging people to use passwords that are not secure in a way that is not secure for a long time now. Reusing passwords for multiple sites is an example of an exceedingly bad password policy because you only need one of them doing the idiot thing like Sony did, storing them in plaintext, and then -everything- you used that password with is compromised.

Reusing passwords is a bad idea. Trusting a company that has flagrant privacy violations on records with your passwords is a bad idea.

Your passwords are yours and they're your responsibility. Give them to someone else at your own peril.

Re:xkcd

A word taken randomly out of a dictionary of just 2000 words has about 11 bits of entropy. There's nothing to estimate there. A a simple two step calculation will determine it exactly. (1) Take a base 2 logarithm of 2000. (2) Congratulations, you are done.

As such, your math sucks, go learn some.

Re:xkcd

[Sigma+7]

Randall uses four words, not one. Even if you use a small word list of 5000 words (and TWL has much more words), that's 6.25 *10^14 combinations. It's still a few times stronger than a 8-character random alphanumeric which has ~2.81*10^14 combinations.

And if you go with the full TWL, you need at least 12 characters in the random alphanumberic to even be as strong as the 4-word passphrase.

It's only less secure in the sense that a similarly sized alphanumeric has more possible combinations - which is not being compared.

Re:xkcd

[zill]

I think this comic is much more related.

Before I started using keepass I actually stored the majority of my passwords in gmail in plaintext. I figured that google already has enough dirt to send me to gitmo for life from my search results alone, giving them more data isn't going to hurt.

Re:xkcd

No, it's all about lead-pipe cryptography. Or, in this case, wrench cryptography.
http://xkcd.com/538/

Re:xkcd

Somebody thinks that because you can find more than one word in a dictionary that a "dictionary attack" is effective against random combinations of words. Somebody is a moron.

Re:xkcd

[Zarel]

Really, Slashdot? 4, Insightful for a comment that has no idea what it's talking about? All you need to do is read the Wikipedia article you link to:

Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), single words found in dictionaries or simple, easily-predicted variations on words, such as appending a digit.

Emphasis mine.

A dictionary attack is a fast way to crack a password consisting of a single word. The conventional wisdom of how to thwart a dictionary attack is to replace letters with symbols and append a few more symbols to the end. Randall's comic is intended to establish that simply using more than one word will thwart a dictionary attack much more effectively.

His comic does this by calculating entropy. His estimates of "3 days" and "550 years" are the theoretical best time to crack the password, and already take into account that English words have lower entropy than their constituent characters. Actual attacks such as dictionary attacks are slower than these theoretical best estimates.

Re:xkcd

[Lennie]

This is also relevant ;-)

http://xkcd.com/538/

Re:xkcd

[mwvdlee]

...and that's assuming people will use english words, which is probably try only for native English speakers without a second language. A dictionary would roughly double in size (yet another bit of entropy) for each additional potential language.

Re:xkcd

Every little box in the comic represents 1 bit of entropy. For each word he used 11 bit of entropy. So he assumed 2^11 = 32768 words in the dictionary.

Re:xkcd

http://xkcd.com/936/ Randall has it all sorted. Just use a whole lotta entropy.

I like this too, but there's one huge, major, glaring flaw with it.

Lots of web sites have stupid password restrictions. Like, must have some numbers, symbols, be between 8-16 characters, and so on, and so on...

Why they can't just say "password minimum 8 characters, and must have these arcane symbols and weird restrictions... OR password minimum 12 characters, unrestricted" is beyond me.

Worst yet is the sites where your password CANNOT be more than (say) 16 characters. My bank does this (ugh). My airline frequent flyer account. My newspaper commenting account. From memory, even Microsoft Live logins (a.k.a. Hotmail, a.k.a. Passport) can't be more than 16 chars.

So no "correct horse battery staple".

When you start thinking about why they have this restriction, you get scared. If they were hashing their passwords (i.e. the best practice), there would be no such restriction, since hashes can operate on any length string. So they're not hashing. Worst case, they're probably storing it plaintext in a VARCHAR(16)...

Re:xkcd

[MisterMidi]

Ehm, 2^11 = 2048...

Re:xkcd

[modmans2ndcoming]

The math is SOOOOOOOOOO wrong it isn't even funny.

The alpha cap and lower case letters gives you 52 bits....then you add the numbers.....that is 10 more to the total...then the special characters and punctuation (he used an &).. another 30.... so the total bits are 92.

so for 11 characters.....11*2^92 = 54469361728556732095561465856 possible combinations for the pass word length.

1000 guesses a second means it will take 863,606,064,950,480,912 years mean time to brute force that password. (50% chance of guessing the password before the end of the list of possibles)

increasing the guess rate by 25 orders of magnitude would weaken the password considerably, but it would still be pretty good at 863 years.

Re:xkcd

[arielCo]

It's not only about having more entropy. As the top half of the comic suggest, Joe User who is new at managing passwords may have a hard time remembering "Tr0ub4dor!", and that may lead to less security if he resorts to guessable passwords or the dreaded Post-It.

Then comes the nasty issue of restrictions - "must be between 8 and 15 characters, with mixed case, at least one number and one symbol" (I kid you not). They're practically telling you to use 1-2 common words in l33tsp34k. There are ways around that: e.g., take the first two letters of your passphrase and "scramble" that in a compatible but consistent manner: "correcthorsebatterystaple" --> "C0h0b45t!". Don't try (too hard) to show the admin the error in his ways.

Re:xkcd

[arielCo]

Sorry, I meant the "two first letters of each word of your passphrase", but surely you already guess that. And no, I didn't call you Shirley ;)

Re:xkcd

[Jesus_666]

Plus neologisms, proper names and contractions. "john's nightly adventures in vaxholm", "beeb anchor cornflakes explosion" or "overdramatic grimdark etymology sideshow" are all unlikely to fall to simple dictionary attacks, although one could of course compile a dictionary that includes nicknames for TV channels, Swedish municipalities and internet slang. Perhaps not an entire additional bit but still slightly better.

Of course one should avoid common phrases as well. I'd expect "robots in disguise" to fall fairly quickly if passphrases were widespread enough to warrant the use of phrase dictionaries.

Re:xkcd

[swillden]

But Munroe's concept is irrelevant.

Yes, it's certainly true that you can get significant entropy from a multi-word phrase (BTW, Munroe assumed a 2048-word dictionary), and that it will be easier to remember than comparable entropy from a random character string. But low-entropy passwords are only part of the problem, and the smaller part. The bigger part is password reuse. The majority of people use the same password for their slashdot account, their bank account and everything in between. Some more savvy users have a small number of passwords, ranked roughly by "security level", so financial institutions all get one password, throwaway web accounts all get another, etc. But even in that case, all it takes is one breach at one "high-security" institution, and attackers have a large set of e-mail addresses with corresponding passwords.

There are really only two solutions: Consolidating authentication into some credential that can't be replayed or use different credentials everywhere.

The first approach is addressed by client-side digital certificate-based authenticate or by OpenID, or similar. As a practical matter, OpenID is something that is easier for people to manage and use correctly, and has the password-like advantage that it works on any web browser. It's the best solution we have at the moment -- and then you can use a multi-word passphrase for that singular authentication credential.

Barring that, you need some sort of password management solution. Given that browsers already do one portion of that job, it seems like a very good idea to help users use them to generate high-quality, unique passwords. Chrome's synchronization feature means that users who use different computers on a regular basis can expect their generated-and-stored passwords to work everywhere. It's not the best solution, but it's a good one. And if a computer is generating and managing the passwords, they don't need to be human-memorable anyway. Except, of course, for the password that is used to encrypt the Chrome password store. Use your multi-word passphrase there.

Of course, there are plenty of password management tools out there, so the Chrome solution isn't really necessary, but it seems likely to convince more people to use good and diverse passwords, which is the point.

Re:xkcd

[Rob+the+Bold]

The math is SOOOOOOOOOO wrong it isn't even funny.

The alpha cap and lower case letters gives you 52 bits....then you add the numbers.....that is 10 more to the total...then the special characters and punctuation (he used an &).. another 30.... so the total bits are 92.

so for 11 characters.....11*2^92 = 54469361728556732095561465856 possible combinations for the pass word length.

1000 guesses a second means it will take 863,606,064,950,480,912 years mean time to brute force that password. (50% chance of guessing the password before the end of the list of possibles)

increasing the guess rate by 25 orders of magnitude would weaken the password considerably, but it would still be pretty good at 863 years.

You are of course referring to the "math" following your initial statement, right? And it was sarcastic, right? I hope . . .

Re:xkcd

Look at what we have here, a Google employee trying to defend his company. Not gonna work, fella. Everybody on /. is aware of what a bunch of backstabbing hypocrites Googlers are.

I work for Google and the only reason why I'm still there is because the idiots pay me a very high salary in return for very little work. I never use any Google product outside of work and never recommend Google products either. That includes the Android shit.

So why don't you just stop commenting on *every* Google-related article. Seriously, you don't have to defend and justify every Google action just because you work there. The company used to be cool, now it's a piece of shit ran by people who are hypocrites, assholes, or both (Gundotra, Rubin, Treynor, Urs). I'm sure you are aware of the fact that as soon as the news about the Safari fiasco broke, an emergency push was ordered by upper management to disable the "feature". What does that tell you about the Google assholes?

--
Jas

Re:xkcd

There is a third option: Use a one-way function that you can do in your head.

http://blown-to-bits.blogspot.com/2011/05/passwords-part-two-of-two.html

Re:xkcd

The root problem that causes people to reuse passwords is that they can't remember passwords that pass the security requirements of most sites.

As such most people force-memorize one or two strong passwords and reuse them for everything. If it were easy to remember large numbers of strong passwords it would be possible to educate people about the dangers of password reuse and not have it fall on deaf ears.

Password managers are a terrible idea, because you're trusting all your passwords to one piece of software that could be a trojan.

Or use 1Password

[cmarkn]

Its plugin is not quite seamless, but it works smoothly enough with Safari and Firefox. They're working on Chrome and Opera plugins, but they aren't there yet.

Re:Or use 1Password

[Intropy]

KeyPass 2 plugs into Chrome quite nicely. There's also an android version, which is nice for when I'm not at a computer I control.

Trolling campaign by GreatBunzinni, aka Rui Maciel

GreatBunzinni, real name Rui Maciel, has been using anonymous posts to accuse almost 20 accounts of being employed by a PR firm to astroturf Slashdot, without any evidence. Using multiple puppet accounts, he mods up these anonymous posts while modding down the target accounts in order to censor their viewpoints off of Slashdot. GreatBunzinni accidentally outed himself as the anonymous troll who has been posting these accusations to every Slashdot story. For example, he wrote the same post almost verbatim, first using his logged-in account followed by an anonymous post days later. Note the use of the same script and wording.

It turns out GreatBunzinni is actually a 31-year-old C++/Java programmer from Almada, Portugal named Rui Maciel, with a civil engineering degree from Instituto Superior Técnico and a hobby working with electronics. He runs Kubuntu and is active on the KDE mailing list. Rui Maciel has accounts at OSNews, Launchpad, ProgrammersHeaven, the Ubuntu forums, and of course Slashdot. While trolling Slashdot, he listens to rock music like Motorhead, Fu Manchu, and Iron Maiden, but lately he's been on a big Jimi Hendrix kick, with some Bootsy Collins on the side (as you might have guessed, he has a Last.fm account). He's also a fan of strategy games like Vega Strike and Transport Tycoon.

Most of the users Rui targets have done nothing more than commit the sin of praising competitors to Google or other Linux-based products at some point in the past. Some of them are subscribers who often get the first post, since subscribers see stories earlier than non-subscribers. After one of Rui's accusations is posted as a reply, the original post receives a surge of "Troll" and "Overrated" moderations from his puppet accounts, while the accusatory post gets modded up. Often, additional anonymous posters suddenly pop up to give support, which also receive upmods. At the same time, accused users who defend themselves are modded down as "Offtopic."

Rui Maciel's contact information
Email: greatbunzinni@gmail.com, greatbunzinni@engineer.com, or rui.maciel@gmail.com
IM: greatbunzinni@jabber.org (the same Jabber account currently listed on his Slashdot account)
Blog: http://rui_maciel.users.sourceforge.net/
Programming projects: http://www.programmersheaven.com/user/GreatBunzinni/contributions

Known puppet accounts used by Rui Maciel
Galestar

NicknameOne

Nicknamename

Nerdfest

Toonol

anonymov

chrb

flurp

forkfail

psiclops

tl;dr: An Ubuntu fan named Rui Maciel is actively trolling Slashdot with multiple moderator accounts in an attempt to filter dissenting opinions off the site.

One small problem...

[Todd+Knarr]

The problem I see is the increasing number of sites (eg. Sony's online game support sites) who "for security reasons" block browsers from auto-completing password fields. Which IMO actually decreases security, it increases the number of times a keylogger could see my password and it makes it harder to use high-difficulty (and difficult to remember) passwords.

Re:One small problem...

The only kind of keylogger vhat would be thwarted by such is one that bugged only your keys.

Not subsrantial enough threat to sway the concern Sony is expressing wth automated log-ins.

Re:One small problem...

I'm confused. I thought we weren't supposed to be buying/using sony products/services for the last 10 years. Why didn't anyone tell me that I was allowed to start doing so again?

Re:One small problem...

[TheRaven64]

This really bugs me too. If a site lets my browser store the password, then I store it in the keychain, where it is encrypted and protected by an ACL so nothing other than the browser can get at it. If a site doesn't let my browser store a password then I also store it in the keychain, but now I transfer it to the browser via the clipboard where any app can see it.

Re:One small problem...

[tepples]

The login form on Chase Bank's web site has the same autocomplete="off" attribute.

Re:One small problem...

[Derek+Pomery]

There's a bookmarklet out there that removes this. Once Firefox has learned the password, it can keep filling out the field.
You can also use firebug to get around it.

You can also go into firefox source, unzip omni, and set _isAutocompleteDisabled to always return false in components/nsLoginManager.js then pack it up again.
Since updates to Firefox will clobber this, you might want to script resetting it, or else you might have to do it again every few months.

Re:One small problem...

[jonwil]

You could always use an open source browser (Chromium, Firefox, whatever) and modify it to ignore the "do not automatically store data for this form" attribute in the HTML form tag.
Or you could write a browser plugin or other tool that is designed to strip that attribute.

Re:One small problem...

[Rich0]

That's why I use lastpass - it ignores this setting. I tried hacking the chromium source to block it, but it was too much of a pita, especially since it gets updated every two weeks it seems. Plus, it is multi-browser...

Re:One small problem...

[spidr_mnky]

I agree with the sentiment that preventing autocomplete is stupid behavior. I find it mildly offensive that the browser enforces this, without option to turn it off, since it is supposed to be acting on my behalf. "Fix it yourself" is generally not a very helpful answer. However, in this case, I eventually did fix it myself (after I read how).

There are bookmarklets floating around which will force autocomplete for a page, but you have to load the page, then hit the bookmarklet, and it's not (that I've seen) a 100% solution. Better than nothing, though, and it works as a non-admin user.

Ultimately, to remove this behavior, I ended up altering a system file. I have to edit it again every time I upgrade Firefox, but that's part of the documentation for my system, now. On Gentoo, running FF 3.6.20, the file is /usr/lib/xulrunner-1.9.2/components/nsLoginManager.js. There is a function named "_isAutocompleteDisabled". Alter it to unconditionally return false, and the effect is that autocomplete is never disabled.

That's just my system, and I obviously use a pretty old version of Firefox. If you figure out where the current version of Firefox keeps the equivalent files on your OS of choice, and grep around for "isAutocompleteDisabled", I think you'll likely find the right place to hack the newest versions.

I am very pleased with the results. Autocomplete is no longer conditionaly, and I am never bothered by a site's attempt to prevent it. On the other hand, I'd be even more pleased to find a solution which is as effective, but stays within the confines of "normal" user configuration - an extension, or greasemonkey script, what-have-you.

Re:One small problem...

[bill_mcgonigle]

Or you could write a browser plugin or other tool that is designed to strip that attribute.

There's a Firefox extension called "Always Save Password" aka password.xpi. Mozilla apparently doesn't want to host this extension because they don't get usable strong security like Google is talking about (I assume they expect everybody to create difficult passwords and 'just' remember them).

There's also a bookmarklet out there to manually override each page you visit.

Re:One small problem...

[Derek+Pomery]

Er. Firefox installation, not firefox source.

Trolling campaign by GreatBunzinni, aka Rui Maciel

GreatBunzinni, real name Rui Maciel, has been using anonymous posts to accuse almost 20 accounts of being employed by a PR firm to astroturf Slashdot, without any evidence. Using multiple puppet accounts, he mods up these anonymous posts while modding down the target accounts in order to censor their viewpoints off of Slashdot. GreatBunzinni accidentally outed himself as the anonymous troll who has been posting these accusations to every Slashdot story. For example, he wrote the same post almost verbatim, first using his logged-in account followed by an anonymous post days later. Note the use of the same script and wording.

It turns out GreatBunzinni is actually a 31-year-old C++/Java programmer from Almada, Portugal named Rui Maciel, with a civil engineering degree from Instituto Superior Técnico and a hobby working with electronics. He runs Kubuntu and is active on the KDE mailing list. Rui Maciel has accounts at OSNews, Launchpad, ProgrammersHeaven, the Ubuntu forums, and of course Slashdot. While trolling Slashdot, he listens to rock music like Motorhead, Fu Manchu, and Iron Maiden, but lately he's been on a big Jimi Hendrix kick, with some Bootsy Collins on the side (as you might have guessed, he has a Last.fm account). He's also a fan of strategy games like Vega Strike and Transport Tycoon.

Most of the users Rui targets have done nothing more than commit the sin of praising competitors to Google or other Linux-based products at some point in the past. Some of them are subscribers who often get the first post, since subscribers see stories earlier than non-subscribers. After one of Rui's accusations is posted as a reply, the original post receives a surge of "Troll" and "Overrated" moderations from his puppet accounts, while the accusatory post gets modded up. Often, additional anonymous posters suddenly pop up to give support, which also receive upmods. At the same time, accused users who defend themselves are modded down as "Offtopic."

Rui Maciel's contact information
Email: greatbunzinni@gmail.com, greatbunzinni@engineer.com, or rui.maciel@gmail.com
IM: greatbunzinni@jabber.org (the same Jabber account currently listed on his Slashdot account)
Blog: http://rui_maciel.users.sourceforge.net/
Programming projects: http://www.programmersheaven.com/user/GreatBunzinni/contributions

Known puppet accounts used by Rui Maciel
Galestar
NicknameOne
Nicknamename
Nerdfest
Toonol
anonymov
chrb
flurp
forkfail
psiclops

tl;dr: An Ubuntu fan named Rui Maciel is actively trolling Slashdot with multiple moderator accounts in an attempt to filter dissenting opinions off the site.

the world upon a silver..er chrome platter

[smoothnorman]

"What do you want Google? The Key of Orthanc, or perhaps the keys of Barad-dûr itself, along with the crowns of the seven kings, and the rods of the five wizards?"

Re:the world upon a silver..er chrome platter

[St.Creed]

I think they'll settle for a small ring. A minor one, the smallest of them all...

OpenID

[IGnatius+T+Foobar]

The interesting thing about OpenID is that the vast majority of people who use it, don't even know that they're using it. When I added support for OpenID 2.0 to my website, I found that the vast majority of takeup was from people who pushed the "Log in with Google" button. There's nothing special about that button, it just automatically fills in the known OpenID for Google. There are buttons for AOL/AIM and Yahoo too, as well as the "enter your own openid" of course, but the vast majority of people who use it, are going with Google.

So you can safely ignore the naysayers who claim OpenID is dead and there wasn't any takeup. It's huge, it just didn't take the form most people imagined.

Re:OpenID

well, I use a throwaway google acc whenever I encounter an openID barrier. I suppose google knows who I am, since I use the same IP to log in to my normal gmail.

Re:OpenID

[Dan541]

It's somewhat fruitless to try and hide from Google if you're a Gmail user.

Re:OpenID

[TheRaven64]

I'm sure Google loves OpenID. Now, not only do they get to track IPs and cookies from the various sites that use Google Ads or Analytics, they get to correlate multiple online identities on unrelated sites and build a detailed profile about a person. OpenID, sadly, isn't dead, but that doesn't mean it isn't a bloody stupid idea.

Re:OpenID

[mounthood]

Also, OpenID allows for more then just login -- it's extended for "profile exchange" and more. Ideal for Google, and all large companies, unlike https://browserid.org/ or other schemes.

I don't understand

[Superdarion]

I just don't get it. How will this help? It's not that people can't generate random paswords (see, here's one: !wef112SFAWffx9). It's just that they can't be bothered to even try to remember such things. People choose "1234" because they don't want to make the effort to remember long, complicated passwords. So what does this tool by google accomplish?

Now, the article is not clear about it, but I think there's gonna be a chrome-embedded tool to manage all passwords. While this is cool, kde and gnome already do it by default in ubuntu (and I assume in other distros that use them). I don't know about windows, but there should be one or two around. If there aren't (or if you really like chrome and wish to grant it control over your passwords), I just don't see how having a explorer-specific tool to manage passwords is a particularly good idea. A OS-wide password manager is much better, like the aforementioned kde and gnome implementations, because it works with whatever you're using, not just your choice of internet navigation software.

Here's an idea: make a piece of software that doesn't even try to create great random passwords that are very difficult to crack with a computer. Instead, make it create simple passwords that are just a string of dictionary words, easy to remember by a person, hard to guess by another person and, since it's a string of words (and not just the one), hard to crack with a computer.

Re:I don't understand

Or we can go beyond using the lower 128 characters of the ASCII table characters as password and use the unicode space instead.

8 characters with some from the Chinese, Greek, Japanese, or other Klingon scripts etc got to be enough. ;)

Re:I don't understand

It's great in principle, but a pain in the ass to type (and you won't be even able to type it in most places, so it's only on your PC).

I used to use ~20 char mix of cyrillic and kanji for one Very Important encrypted drive pass at home, but then I said "Fuck it" and switched to ~45 char english nonsensical phrase - and it was still almost twice faster to type.

Re:I don't understand

Re-read the article, it's clear. This WEB SERVICE will store the user's passwords for them. You're too stupid to be allowed to know your own password (it's for your own good, trust us):

"While generally it's good that users don't know their passwords, there are times when they will need them such as when they aren't able to use Chrome. For these cases, we will have a website similar to Valentine where users can sign in and view (and possibly export?) their passwords"

This is full browser lock-in with Chrome. You won't be able to use any sites you have to log-in to without using Chrome. Worse than that, they're data mining all your passwords:

"we don't just choose a password for them is that many sites have requirements... So we will choose a default generator that will work on most sites... Long term we can hopefully also gather some aggregate information from UMA users about the form of passwords they generated so that this whole process can be skipped for the vast majority of sites"

And of course their own site is too important for it's passwords to be stored:

"We will need to special case the GAIA log in page so that this feature doesn't trigger"

This service, not a tool, will lock users into Chrome and prevent them from switching browers by holding their passwords hostage.

Re:I don't understand

bonch^WAnonymous Coward wrote:

This is full browser lock-in with Chrome. You won't be able to use any sites you have to log-in to without using Chrome. Worse than that, they're data mining all your passwords:

From TFA:

there are times when they will need them such as when they aren't able to use Chrome. For these cases, we will have a website similar to Valentine where users can sign in and view (and possibly export?) their passwords.

Dude, your lies don't hold water and your tinfoil hat is slipping.

Re:I don't understand

[Intropy]

Chrome already has an embedded password manager. I'm with you that it's nicer to have something external to the browser but that plugs into it. But I prefer an external app/format to the OS as well since it's easier to use the password database on whatever platform I need. All that being said, for most Chrome users Google doesn't have much to do with the OS, and something straightforward to use is a step in the right direction for most people.

Re:I don't understand

[MisterMidi]

Well, either you didn't RTFA that well, or you're just pulling sentences out of context to suit your views. You should run for senate.

Re:I don't understand

[swillden]

Now, the article is not clear about it, but I think there's gonna be a chrome-embedded tool to manage all passwords.

Like most (all?) browsers, Chrome already has an embedded password manager. And it's better in one way than the desktop-based PW manager, at least for people who use multiple devices, because Chrome Sync will synchronize your passwords to Chrome on all of your other devices. So you have your passwords everywhere.

Re:I don't understand

Yes, because we should all trust the Google creeps. Thanks but no thanks.

By the way, take your hunting rifle and shove it up your ass!

--
Jordyn

i just want some biometrics

There's no chance of it outside the rare gimmick, because the infrastructure isn't cost-effective and we have all been trained to fear the government by the biggest proponents of it, the ones who want it in your bedroom and vagina.

Does it include quotes from Hamlet?

[solarissmoke]

Google is in the process of developing a tool to help users generate strong passwords...

I wonder if it will involve giving the user random selections from Shakespeare.

Actually

Actually, I wrote my own password generator that's based off the concept of generating nonsensical but reasonably easy to remember phrases.. http://mirror.digital-flux.com/files/dark12222000/BetterPasswordJar.zip

UNIX/Linux password generation.

[bejiitas_wrath]

http://www.cyberciti.biz/faq/linux-random-password-generator/

This might work nicely for those with access to a UNIX/Linux machine...

Re:UNIX/Linux password generation.

Just install apg. Should be in the repositories of most distros.

Re:UNIX/Linux password generation.

[lindi]

Unfortunately that does not work nicely. On a multiuser Linux system everyone can see your password by looking at the process list. Here's a proof of concept:

testi1@lindi2:~$ wget -q http://iki.fi/lindi/watchps.c
testi1@lindi2:~$ gcc -O2 -Wall -o watchps watchps.c
testi1@lindi2:~$ echo /lib/x86_64-linux-gnu | ./watchps
helper got 6738, waiting for 6739

...

testi2@lindi2:~$ genpasswd
sh88xS5MKUAiGTvk

...

woke up
cmdline: "/bin/echo sh88xS5MKUAiGTvk "
helper got 6739, waiting for 6740

Re:UNIX/Linux password generation.

[Robert+Zenz]

Or you could use mkpasswd.

Re:UNIX/Linux password generation.

[hutsell]

http://www.cyberciti.biz/faq/linux-random-password-generator/

This might work nicely for those with access to a UNIX/Linux machine...

For the past 12 years, without using any software (except for what's in my mind--whatever that might be) I've been using two algorithms to mentally generate a unique password for each site that requires logging into an account--now at several hundred and counting, memorization isn't a problem, since the two rules are based on the domain name and how I decided to elaborately positions itself to an American/English keyboard--the passwords easily replaceable, if updating is required. The reason for two instead of just one has to do with the additional security requirements some organisations want to control in how my password is constructed.

Although both rules are general enough to account for any variation and complicated enough in its variety of characters with a decent length to be secure in the classical sense (a random looking long mix of letters, caps, numbers and symbols--improbably hard to remember), there are a few very rare exceptions. For instance, my cell phone account demands, as unbelievable as it may seem, the password's length to be eight, with only letters and digits. When this situation occurs and a couple of slight variations with other clueless Companies, they end up getting that third slacker-catchall algorithm.

So what happens if a site not used in ages has changed their domain and no longer says or knows the original name; or the keyboard is formatted differently? Those 3 forgetful times (out of the 5 times the name changed during the last decade) were simply reset with the email address I always use; the keyboard in another format hasn't happened, but my memory about the character's positions are extremely good--resetting may be option, if I do forget. It's not perfect. Although no one is presently interested in my passwords--there might be a day, for one example, when I discover some new disruptive paradigm shifting technology. When that day happens, the interested parties will, with little effort I might add, be able to hammer it out of me.

Just do it the traditional way

I have always been happy with a simple "head -c6 /dev/random | mimencode -". I always used that when generating passwords for my colleagues to servers I was responsible of.

Re:Just do it the traditional way

[zill]

/dev/random may be random, but it's not cryptographically secure. You would be better off using a dedicated password generator (eg. pwgen or apg).

Re:Just do it the traditional way

That is not correct. From the manual:

/dev/random should be suitable for uses that need very high quality randomness such as one-time pad or key generation.
[...]
The kernel random-number generator is designed to produce a small amount of high-quality seed material to seed a cryptographic pseudo-random number generator (CPRNG). It is designed for security, not speed, and is poorly suited to generating large amounts of random data.

It would be considered a serious security vulnerability if /dev/random did not provide cryptographically secure randomness.

Re:Trolling campaign by GreatBunzinni, aka Rui Mac

He's also a fan of strategy games like Vega Strike and Transport Tycoon.

I like the cut of this guy's jib.

What's the random number generator?

[Animats]

Does Google Chrome have a cryptographic-grade random number generator with a good source of enthropy? Javascript math.random() is known to be predictable. Has someone with respected crypto qualifications checked over the code and signed off on it?

Re:What's the random number generator?

[swillden]

Does Google Chrome have a cryptographic-grade random number generator with a good source of enthropy? Javascript math.random() is known to be predictable. Has someone with respected crypto qualifications checked over the code and signed off on it?

Chrome already has facilities for generating random numbers for generation of SSL session keys (or inputs to generation of SSL session keys) and for generation of key pairs. I've never looked at the source, but we also haven't heard about any issues with Chrome in those contexts. I would expect that Chrome uses the OS-provided RNG (e.g. /dev/random) facilities where available.

Already Exists: http://passwordmaker.org/

[JakFrost]

Already Exists: http://passwordmaker.org/
Google Chrome: http://passwordmaker.org/Google_Chrome

The Problem

If you're like most people, you have a few passwords that you use over and over again on many different websites. You know this isn't secure, yet you do it anyway. Why? Because it's difficult to remember a unique password for each and every web site that requires one.
Existing Solutions

Maybe you do use unique passwords, and get around the problem of remembering them by storing them in a spreadsheet or other file. Maybe you even use one of the many password managers that are available. But now you've centralized your passwords and access to them becomes difficult while at work, a friend's computer, or a public internet terminal. You can't get to your passwords without carrying them around or publishing them on the internet. Some people even carry a USB keychain with their passwords wherever they go. How inconvenient. And publishing them on the internet? Yikes! We need not even mention the security risks inherent with that solution. Even if you trust the company storing the passwords, you can be sure every hacker in the world is drooling over the prospect of accessing their database (Like the LastPass break in of May, 2011 LastPass Announcement).

Our Solution

PasswordMaker solves all of these issues. It is a small, lightweight, free, open-source tool for Internet Explorer, Firefox, Google Chrome, iPhone, Opera, PHP, Windows, OS/X, Linux, Flock, Yahoo! Widgets, Android, Python, and many other platforms & systems. It creates unique, secure passwords that are very easy for you to retrieve but no one else. Nothing is stored anywhere, anytime, so there's nothing to be hacked, lost, or stolen. PasswordMaker has been around since about 2003 and so is a mature, stable, popular solution.
How It Works

Warning - technical jargon in this section!

You provide PasswordMaker two pieces of information: a "master password" -- that one, single password you like -- and the URL of the website requiring a password. Through the magic of one-way hash algorithms, PasswordMaker calculates a message digest, also known as a digital fingerprint, which can be used as your password for the website. Although one-way hash algorithms have a number of interesting characteristics, the one capitalized by PasswordMaker is that the resulting fingerprint (password) does "not reveal anything about the input that was used to generate it." 1. In other words, if someone has one or more of your generated passwords, it is computationally infeasible for him to derive your master password or to calculate your other passwords. Computationally infeasible means even computers like this won't help!

What About Portability?

For times when you must use one of the rare platforms to which PasswordMaker hasn't been ported, or are using a system where you can't install any software, there's an online version which mimics the extension and works in all web browsers new and old. No downloads or installations are required.

Re:Already Exists: http://passwordmaker.org/

[St.Creed]

It would be so great if this was integrated with Keepass: let it figure out a password when possible, and let me do my stuff when needed.

Keepass already has a pretty flexible automatic password generator btw.

Re:Already Exists: http://passwordmaker.org/

[Chryana]

This is not the same thing at all... The passwords made by the Google password generator are meant to be truly random, so no access to one website is related to another. On the other hand, all the password this application makes are generated from the exact same password plus domain name (which is obviously known), so if someone knows you use this service and guesses your master password, he has access to all the sites you go to. It is somewhat more secure than using the same password everywhere as long as the attacker doesn't know you use this service, so it can be useful against random brute force attacks on a website you use.

Re:Already Exists: http://passwordmaker.org/

It's ALSO and far more importantly more secure than a single password because it involves a one way function. Some web sites might be using such functions, but you can't be sure all of them do. So performing the one way function yourself gives you protection from other people's crappy security.

Scenario A: I use the password "clownmonkey" on every web site. Anonymous break into crapforum.com, and steal their plaintext password database. Every jackass in the world now knows my password is "clownmonkey" and soon they've broken into dozens of my accounts by doing nothing more than trying my username or email address and the password "clownmonkey". If my password had been really hard to guess, it wouldn't help me at all.

Scenario B: I use PwdHash or PasswordMaker.org or other similar technology with the password "spongedude". Again Anonymous break into crapforum.com and get everyone's plaintext password. But my password on crapforum is gLJ7R3rrXdRi. This password doesn't work on any other web site. Smart bad guys might spot that it's a Pwdhash passwod BUT to find the shared password bad guys must run an expensive one-time search, hashing billions or trillions of possible passwods to have a hope of finding mine. This is way harder and unless I used the software to protect my savings or something it's just not worth their time. If my real password was hard to guess, it would help me, because it would make the search harder or impossible.

(e.g. uPWlpy8zwU01U+tCDb3UCw is a Pwdhash generated password for the imaginary crapforum.com. Go ahead, figure out the root password. If you can't then you should take back what you claimed).

Re:Already Exists: http://passwordmaker.org/

so if someone knows you use this service and guesses your master password, he has access to all the sites you go to

Not true. They'd also have to know how all the options were set. For example, what hash algorithm, what character set was used (and you can put in custom character sets, or change the order, etc). Plus you can set up different profiles per site (for sites that have different rules for password length, character sets).

Even knowing the master password only gets you about 10% there.

sure Mr.

"If you have something you want to keep secret, maybe you shouldn't be doing it" - go ahead and generate my passwords for me!

Not needed

[scdeimos]

Anyone who cares about having different passwords for different sites will already be using a password database manager such as KeePass. Most password database managers also have random password generators. This is Google's solution in search of a problem.

Re:Not needed

[St.Creed]

A lot of people don't bother to download keepass and use it. This is a solution for people who otherwise wouldn't bother, so in that respect it would improve security.

OFcourse, only where the breakins involved password hacking. Most of the time it involves downloading malware.

Re:Not needed

[gbjbaanb]

so integrate it - let Chrome generate passwords (using keepass' quite good generator) and store the resulting password (plus site info etc) into a keepass DB. Then you can also use the passwords in different browsers and back them up a lot easier.

Re:Not needed

[Rich0]

Would love to use keepass, but it doesn't support all the platforms I'm running on. I'm stuck with Lastpass until that changes. I need support for Chrome on Windows/Linux/ChromeOS, and Chrome and the Android Browser on Android...

Re:Not needed

[swillden]

Anyone who cares about having different passwords for different sites will already be using a password database manager such as KeePass. Most password database managers also have random password generators. This is Google's solution in search of a problem.

Or Google's attempt to convince more people to use diverse passwords, to push this good security practice out to a broader user base.

Re:Not needed

Done and done. Although I do wish that this process was built into the applications themselves, installing plugins to Keepass and Chrome does seem like a bit of a stretch for the average user.

how secure is that

[SuperDre]

And how secure is having only openid to login into every website? Now they only have to hack into your openid account to get onto all those different websites, making it much easier for the hackers.... yeah google i understand why you want everybody to use your openid, so you can track them even better....

Is it too late to go short on Lastpass?

[mark_reh]

Is it?

Won't use this

[equex]

Great, now hackers has a single point of attack to lift passwords. Imagine hooking a function call to the generation plugin which sends every password and username back to the attacker....

Keepass

[Colin+Smith]

A typical web site password of mine:

1jVzaVAy9Xhfoc_eok0V49ld-

My banking passwords are of course more controlled, with far more specialised systems enforcing password strength to exactly 6 digit numerical characters. Clearly date of birth is the state of the art in banking security.

"Keep my opt-outs" is not DNT

The extension does not seem to implement the DNT mechanism currently being defined at the W3C (which consists of special HTTP headers and JavaScript APIs).

Notify customers of shipping problems

[tepples]

It should not be tied to something like an email address (at least on the site's side - that's fine on the authentication provider's side).

Say an online store lets you sign in using OpenID to track your order. Without an e-mail address, how is the site supposed to notify you that the order has shipped, or more importantly, that there is a problem that prevents the order from shipping?

Re:Notify customers of shipping problems

[nedlohs]

By asking for your email address as well?

They're also going to have trouble shipping you what you ordered if you don't give them your shipping address too. I take it you also want that to be embedded into your openid as well?

Key continuity management in Keychain

[tepples]

The OS X keychain provides a key-value store where each entry has an ACL tied to a particular version of a program. If you modify a program binary, you must reauthorise it.

That's to keep viruses from infecting a program and gaining access to its key-value store. But a virus can't infect a signed program without invalidating the signature. I've read that Keychain ACLs transfer to future versions of the same program as long as both versions are provably by the same author, that is, they were signed with the same (self-signed) certificate.

Digest authentication is part of HTTP

[tepples]

Digest authentication is part of HTTP.

Launchpad.net

[tepples]

That's why I use my Ubuntu account instead of my Google account when I want to log in somewhere with OpenID. Is Canonical likely to track me and do evil things with the information?

Re:Launchpad.net

[TheRaven64]

Probably not, but now two unrelated sites can still cooperate to identify you between them. If you log in anywhere that uses your OpenID address as a public identifier then so can any crawlers. As I said in another post, a well-designed version of OpenID would have the authentication server provide no more assurance than that the same person attempting to log in twice was the same person. It would not provide any information that could tie this person to another account on an unrelated system.

Re:Launchpad.net

Our local Canonical Community Rep was a member of a coup against our local LUG, so tracking you hardly seems out of the question.

People mistype their e-mail address

[tepples]

I am the web developer and server administrator for such an online shop, and I get a lot of shipping notification e-mails bounced as undeliverable because people mistype their address. It has got to the point where Comcast has started to assume our legitimate shipping notification e-mails are spam. I imagine that if someone has successfully logged into OpenID, that's a stronger guarantee that the address can actually receive mail.

Re:People mistype their e-mail address

[nedlohs]

You don't make them enter it twice?

And what again what happens when they mistype their shipping address too?

Re:People mistype their e-mail address

[tepples]

You don't make them enter it twice?

Ctrl+C Ctrl+V and the error is pasted twice.

And what again what happens when they mistype their shipping address too?

For one thing, the postal service has proven competent at fixing that. For another, PayPal appears to do some processing on the shipping addresses of customers who pay with PayPal.

Re:People mistype their e-mail address

[nedlohs]

If they copy paste and make a typo then that's their tough luck. Surely that can't happen that often - both being stupid enough to copy-n-paste an obvious typo check and smart enough to know how to copy-n-paste...

google authenticator integration ?

i'd love to see those passwords beings managed by google authenticator ,

http://supergenpass.com/

[Ummon]

http://supergenpass.com/ It's hella easy to use. Portable and device/application independent. Been using it for quite awhile. Every site has a unique password based on a passphrase. You can have as many passphrases as you can remember. I tend to use a different passphrase based on the type of site. It's pretty cool since I don't technically know the password to any site. So even I can't be compromised.

Cart before the horse

I'd have thought Google would be better spending their time adding a facility to protect passwords the user has chosen Chrome to remember.

The fact Chrome has no native password manager "master password" facility cf Firefox is, for me, a deal-breaker.

Why have a strong password generator, then allow the user to save them where the next user of the browser can easily access them?

Just my $0.02

Storage

[lhunath]

The biggest issue I have with all of these solutions, 1Password, LastPass, KeePass, the OS X Keychain, browsers storing passwords, et al, is that they basically just all store all of your passwords in their own custom ways, often on remote stores beyond your control, while leaving you with the mess of creating the passwords and keeping them "in-sync" between all of your devices. What if you're not behind your laptop? How do you log into your email?

Thought I'd mention Master Password which aims to address this issue by letting you remember a single master password (which you already do for each of these solutions anyway) and then calculating your password for a given site from it. The algorithm is completely offline, uses no inputs other than those remembered by the user and others documented by the algorithm, and the output will pass most any of those pesky "password policies".

It basically means all you need is a calculator and your password to get access to any of your sites. And if you loose your device, no data lost and you've got your identity back just by picking up any other device.

The actual app is currently in beta and only for iOS, but the algorithm is fully documented for anyone to reproduce and a Mac version is already planned.

Re:Storage

[El_Oscuro]

This pretty much the same description for KeepassX. Your master password and/or keyfile are used to encrypt the passwords, and the date is stored locally. It runs on pretty much every platform. I keep a copy on my Ubuntu desktop and a copy on my Iron key, which has KeepassX as a built in app. Since the Iron key also has a master password and will self-destruct if 10 bad passwords are entered, the entire setup is pretty secure.

Re:Storage

[lhunath]

It's actually not. Master Password doesn't do any encryption of passwords. It doesn't store anything. It just takes a master password, does some clever hashing seeded by a site name, and calculates a password for the site from the result. Meaning all you need to reproduce your passwords is your master password and a program that can execute the algorithm.

That is not DNT

Not only does it not actually conform to DNT, it's an extension that doesn't ship with the browser. The majority of users will never use it and aren't even aware it exists. Why doesn't Google include the functionality by default? You successfully got him modded down by Google fans, but it doesn't change the facts.

This is a funny one..

Having trouble with your passwords? I would be glad to help you.. (google speaking avatar) Oh, Thank you gOOGLE. tHEY just passed my front door again.

world's most secure password generator

dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64

Google Advetising opt out website

[comparebest]

The site that allows you to get opt out cookies for over a hundred of behavior targeting advertising networks has been around for many years, and was actually created by those networks - www.networkadvertising.org.

Opt out now and don't forget to visit this site every time you re-install OS or clear cookies.

It works like a charm, you don't need a separate plugin for every network you aware of... there are hundreds of the ones you never even heard of yet seeing their custom tailored ads every day.