Google Working On Password Generator For Chrome

Trailrunner7 writes "Google is in the process of developing a tool to help users generate strong passwords for the various and sundry Web sites for which they need to register and authenticate. The password-generator is meant to serve as an interim solution for users while Google and other companies continue to work on widespread deployment of the OpenID standard. The tool Google engineers are working on is a fairly simple one. For people who are using the Chrome browser, whenever a site presents them with a field that requires creating a password, Chrome will display a small key icon, letting the users know that they could allow Chrome to generate a password for them."

xkcd

[Zaldarr]

http://xkcd.com/936/ Randall has it all sorted. Just use a whole lotta entropy.

Re:xkcd

[Sigma+7]

Randall uses four words, not one. Even if you use a small word list of 5000 words (and TWL has much more words), that's 6.25 *10^14 combinations. It's still a few times stronger than a 8-character random alphanumeric which has ~2.81*10^14 combinations.

And if you go with the full TWL, you need at least 12 characters in the random alphanumberic to even be as strong as the 4-word passphrase.

It's only less secure in the sense that a similarly sized alphanumeric has more possible combinations - which is not being compared.

Re:xkcd

[Zarel]

Really, Slashdot? 4, Insightful for a comment that has no idea what it's talking about? All you need to do is read the Wikipedia article you link to:

Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), single words found in dictionaries or simple, easily-predicted variations on words, such as appending a digit.

Emphasis mine.

A dictionary attack is a fast way to crack a password consisting of a single word. The conventional wisdom of how to thwart a dictionary attack is to replace letters with symbols and append a few more symbols to the end. Randall's comic is intended to establish that simply using more than one word will thwart a dictionary attack much more effectively.

His comic does this by calculating entropy. His estimates of "3 days" and "550 years" are the theoretical best time to crack the password, and already take into account that English words have lower entropy than their constituent characters. Actual attacks such as dictionary attacks are slower than these theoretical best estimates.

Re:xkcd

[mwvdlee]

...and that's assuming people will use english words, which is probably try only for native English speakers without a second language. A dictionary would roughly double in size (yet another bit of entropy) for each additional potential language.

Re:xkcd

[MisterMidi]

Ehm, 2^11 = 2048...

Re:xkcd

[arielCo]

It's not only about having more entropy. As the top half of the comic suggest, Joe User who is new at managing passwords may have a hard time remembering "Tr0ub4dor!", and that may lead to less security if he resorts to guessable passwords or the dreaded Post-It.

Then comes the nasty issue of restrictions - "must be between 8 and 15 characters, with mixed case, at least one number and one symbol" (I kid you not). They're practically telling you to use 1-2 common words in l33tsp34k. There are ways around that: e.g., take the first two letters of your passphrase and "scramble" that in a compatible but consistent manner: "correcthorsebatterystaple" --> "C0h0b45t!". Don't try (too hard) to show the admin the error in his ways.

One small problem...

[Todd+Knarr]

The problem I see is the increasing number of sites (eg. Sony's online game support sites) who "for security reasons" block browsers from auto-completing password fields. Which IMO actually decreases security, it increases the number of times a keylogger could see my password and it makes it harder to use high-difficulty (and difficult to remember) passwords.

Re:What could go wrong?

[Aerorae]

You mean the Do Not Track list which is practically unenforceable? The one where the advertisers "do the right thing" and honor the users' request not to track them? Such an IRONCLAD defense against predatory advertisers should be the gold standard, shouldn't it?

the world upon a silver..er chrome platter

[smoothnorman]

"What do you want Google? The Key of Orthanc, or perhaps the keys of Barad-dûr itself, along with the crowns of the seven kings, and the rods of the five wizards?"

OpenID

[IGnatius+T+Foobar]

The interesting thing about OpenID is that the vast majority of people who use it, don't even know that they're using it. When I added support for OpenID 2.0 to my website, I found that the vast majority of takeup was from people who pushed the "Log in with Google" button. There's nothing special about that button, it just automatically fills in the known OpenID for Google. There are buttons for AOL/AIM and Yahoo too, as well as the "enter your own openid" of course, but the vast majority of people who use it, are going with Google.

So you can safely ignore the naysayers who claim OpenID is dead and there wasn't any takeup. It's huge, it just didn't take the form most people imagined.

Re:OpenID

[TheRaven64]

I'm sure Google loves OpenID. Now, not only do they get to track IPs and cookies from the various sites that use Google Ads or Analytics, they get to correlate multiple online identities on unrelated sites and build a detailed profile about a person. OpenID, sadly, isn't dead, but that doesn't mean it isn't a bloody stupid idea.

Re:What could go wrong?

[liquidweaver]

Lets take your argument to its logical conclusion - somewhere inside of Google's secret evil HQ in the base of a volcano, Sergei and Larry are laughing maniacally, "Now we can login as everyone because we will know their passwords! MWAHAHAHA!" as they stroke their evil kittens with eyepatches.

Or realistically, that google would login as people and impersonate their accounts.

You can have my tinfoil hat, you need it more than me.

I don't understand

[Superdarion]

I just don't get it. How will this help? It's not that people can't generate random paswords (see, here's one: !wef112SFAWffx9). It's just that they can't be bothered to even try to remember such things. People choose "1234" because they don't want to make the effort to remember long, complicated passwords. So what does this tool by google accomplish?

Now, the article is not clear about it, but I think there's gonna be a chrome-embedded tool to manage all passwords. While this is cool, kde and gnome already do it by default in ubuntu (and I assume in other distros that use them). I don't know about windows, but there should be one or two around. If there aren't (or if you really like chrome and wish to grant it control over your passwords), I just don't see how having a explorer-specific tool to manage passwords is a particularly good idea. A OS-wide password manager is much better, like the aforementioned kde and gnome implementations, because it works with whatever you're using, not just your choice of internet navigation software.

Here's an idea: make a piece of software that doesn't even try to create great random passwords that are very difficult to crack with a computer. Instead, make it create simple passwords that are just a string of dictionary words, easy to remember by a person, hard to guess by another person and, since it's a string of words (and not just the one), hard to crack with a computer.

Re:I don't understand

[Intropy]

Chrome already has an embedded password manager. I'm with you that it's nicer to have something external to the browser but that plugs into it. But I prefer an external app/format to the OS as well since it's easier to use the password database on whatever platform I need. All that being said, for most Chrome users Google doesn't have much to do with the OS, and something straightforward to use is a step in the right direction for most people.

Re:What could go wrong?

[rtb61]

Let's take this argument to it's realisic conclusion - Google Chrome password lockin. What easy access to you web site, you better stick to using Chrome or else look forward to pen and paper copying 20 random characters, including numbers, letters, capitalisation and special chars, with different passwords for each and every site you connect to, get one char wrong and your stuck. Some like banks will definitely not email you a replacement password so that you can immediately reconnect.

Easy solution go with pass phrases they are easier to remember, words between 4 and 6 characters long, three words, that's 12 to 18 chars, those with mixed language capabilities have a slight advantage and only so "Googleveryobvious" and your done ;).

Re:What could go wrong?

[BitZtream]

Right cause the only thing google lets us get back in the form of our data from their services is EVERYTHING.

Name 1 thing bit of data that you've given to Google that they don't allow you to download them other than your ANONYMOUS search history.

You can't call it lock in when they give you a unencrypted well documented XML file with your data in it, moron. Thats what they do for all of their web services, you think they won't make an export feature for Chrome?

They don't need lock in. Instead of doing 'Lock In' they do 'Better than the competition' which is far more effective at retaining customers. You should look into it some time.

Of course, this new feature in order to be useful for lock in would have to diverge from the current feature of chrome that lets you look up previously stored passwords already.

Do you actually have any idea at all who or what you're talking about?

Re:What could go wrong?

[mrmeval]

I put mine in a text file and encrypt them with a PGP key that is not on my PC. That is my backup. I trust firefox well enough to let it store them but I don't trust them not to screw up and destroy them.

Re:What could go wrong?

[MisterMidi]

What's different from trusting the browser to store your passwords? All major browsers have been doing this for years. It's really not much different. If they wanted your passwords, they'd already have them (with or without storage.) This is about encouraging people to use different passwords for different sites. Yes, it is a security risk to trust your browser with your passwords. But I think using the same password for every site is a much bigger risk.

UNIX/Linux password generation.

[bejiitas_wrath]

http://www.cyberciti.biz/faq/linux-random-password-generator/

This might work nicely for those with access to a UNIX/Linux machine...

Re:UNIX/Linux password generation.

[lindi]

Unfortunately that does not work nicely. On a multiuser Linux system everyone can see your password by looking at the process list. Here's a proof of concept:

testi1@lindi2:~$ wget -q http://iki.fi/lindi/watchps.c
testi1@lindi2:~$ gcc -O2 -Wall -o watchps watchps.c
testi1@lindi2:~$ echo /lib/x86_64-linux-gnu | ./watchps
helper got 6738, waiting for 6739

...

testi2@lindi2:~$ genpasswd
sh88xS5MKUAiGTvk

...

woke up
cmdline: "/bin/echo sh88xS5MKUAiGTvk "
helper got 6739, waiting for 6740

Re:What could go wrong?

[ozmanjusri]

Let's take this argument to it's realisic conclusion - Google Chrome password lockin. What easy access to you web site, you better stick to using Chrome or else look forward to pen and paper copying 20 random characters, including numbers, letters, capitalisation and special chars, with different passwords for each and every site you connect to

Ctrl C
Ctrl V.

Re:What could go wrong?

[EdIII]

I can see there being some kind of lock-in, albeit not the one you are talking about.

Random password generation is useless on its own. I can't even remember 20 random alphanumeric characters and I have a good memory.

What is required when you do that is a password vault of some kind. Plenty of software available to do this for you. Chrome will already remember your passwords, but I can see them syncing that with your Google profile. They might already, I don't use Google for anything religiously.

That could be the lock-in. All of your passwords are stored in the "Cloud" with Google. However, I am sure they would provide a secure export adhering to some standards (theirs) that other vendors could read (after circumnavigating some documentation more fucking complicated than the plans for the Death Star). Sorry, I do API programming for some Google products and I find their documentation a little lacking in some places and not well organized.

My biggest issue is with Open ID. I will never, ever, participate in a system where you authenticate with a company where you are not the user, but the product. That's not security. Regardless of whether it is Google, having all that authentication in one spot is a bad idea. One password to rule them all, One password to bind them all, and in the darkness where you fucking lose it you get bent over by some sociopath in Russia who will own your ass and use it to pay for Vodka and teenage Russian hookers.

Unless, I am explicitly told by a client, after they ignore all my recommendations, will I integrate a centralized authentication scheme. Just poor security, but others will disagree I am sure....

Ohhhh, I almost forgot :)

YouTube API was offline for over 3 hours yesterday. Got a ton of emails about it and I looked at the response code coming back and it was ServiceUnavailable. No problems with our system, from what I could tell from the logs. Calls just started working again a few hours later with no code changes.

So if I do integrate Open ID, what guarantees do I have that the service will reasonably be available? How do I tell a user that the reason they can't authenticate is because one of the largest companies in the world has products in perpetual beta for free and I can't complain because it is free?

Do you think any user that complained yesterday believed Google was at fault or our system? Seriously, why even bother sending out a service impact notification that people might not even believe. With just a few hours I let them think it was just a spike in our load and it took longer than normal to upload.

Re:What could go wrong?

[Jah-Wren+Ryel]

You mean the Do Not Track list which is practically unenforceable?

As best I can tell "Do Not Track" headers in the browser are there for legal purposes. If we ever get the chance to sue for unauthorized tracking having the browser explicitly inform the tracker's website that they should not be tracking this user will probably be helpful in court. It may even be that the threat of such ends up being enough to make trackers obey the header.

But either way, it seems like an attempt to leverage the legal system for us little guys rather than a straight-forward engineering method of preventing tracking.

Already Exists: http://passwordmaker.org/

[JakFrost]

Already Exists: http://passwordmaker.org/
Google Chrome: http://passwordmaker.org/Google_Chrome

The Problem

If you're like most people, you have a few passwords that you use over and over again on many different websites. You know this isn't secure, yet you do it anyway. Why? Because it's difficult to remember a unique password for each and every web site that requires one.
Existing Solutions

Maybe you do use unique passwords, and get around the problem of remembering them by storing them in a spreadsheet or other file. Maybe you even use one of the many password managers that are available. But now you've centralized your passwords and access to them becomes difficult while at work, a friend's computer, or a public internet terminal. You can't get to your passwords without carrying them around or publishing them on the internet. Some people even carry a USB keychain with their passwords wherever they go. How inconvenient. And publishing them on the internet? Yikes! We need not even mention the security risks inherent with that solution. Even if you trust the company storing the passwords, you can be sure every hacker in the world is drooling over the prospect of accessing their database (Like the LastPass break in of May, 2011 LastPass Announcement).

Our Solution

PasswordMaker solves all of these issues. It is a small, lightweight, free, open-source tool for Internet Explorer, Firefox, Google Chrome, iPhone, Opera, PHP, Windows, OS/X, Linux, Flock, Yahoo! Widgets, Android, Python, and many other platforms & systems. It creates unique, secure passwords that are very easy for you to retrieve but no one else. Nothing is stored anywhere, anytime, so there's nothing to be hacked, lost, or stolen. PasswordMaker has been around since about 2003 and so is a mature, stable, popular solution.
How It Works

Warning - technical jargon in this section!

You provide PasswordMaker two pieces of information: a "master password" -- that one, single password you like -- and the URL of the website requiring a password. Through the magic of one-way hash algorithms, PasswordMaker calculates a message digest, also known as a digital fingerprint, which can be used as your password for the website. Although one-way hash algorithms have a number of interesting characteristics, the one capitalized by PasswordMaker is that the resulting fingerprint (password) does "not reveal anything about the input that was used to generate it." 1. In other words, if someone has one or more of your generated passwords, it is computationally infeasible for him to derive your master password or to calculate your other passwords. Computationally infeasible means even computers like this won't help!

What About Portability?

For times when you must use one of the rare platforms to which PasswordMaker hasn't been ported, or are using a system where you can't install any software, there's an online version which mimics the extension and works in all web browsers new and old. No downloads or installations are required.

Re:What could go wrong?

[ThatsMyNick]

Name 1 thing bit of data that you've given to Google that they don't allow you to download them other than your ANONYMOUS search history.

Just so that you know, google does not allow you download non-anonymous search history either. I am usually logged in, when I perform a seach on google. Neither does google allow you download the search results you have visited (it does not even allow you view them I believe). Google does not allow me to download the list of websites I have visited and Google had noticed that I had visited it. It does not allow me to download the timestamps and IPs of my logins. I can go on and on, but you get my point. Google collect tons of information about me, which I dont get access to.

Re:What could go wrong?

[ozmanjusri]

Google is the only holdout on Do Not Track. Every other major browser vendor has adopted.

Really?

Perhaps you should have Googled it before shooting your mouth off...

Google Releases “Do Not Track” Extension for Chrome
Google is announcing that they have released a “Do Not Track” extension for Chrome called Keep My Opt-Outs that blocks advertisements that are based on browser history. It hasn’t been made mandatory by any governments yet, but it’s been clear that ever since the Wall Street Journal’s series on how advertisers track user information on the web that this was going to happen.
Already the Chrome team has been testing an experimental feature that allows you to block all new third party cookies from being set. These pieces of information can travel with you and record information about your habits on the web. They are also useful for saving other information such as preferences and login information, but the marketing opportunities that can be taken advantage of with cookies is enough to make some people want to turn them off.
This extension solves that, as Google believes this is the correct way to ward of ad tracking.

http://www.thechromesource.com/google-releases-do-not-track-extension-for-chrome/

Not needed

[scdeimos]

Anyone who cares about having different passwords for different sites will already be using a password database manager such as KeePass. Most password database managers also have random password generators. This is Google's solution in search of a problem.

Re:What could go wrong?

[tibman]

OpenID wasn't created by nor owned by google. It was created by LiveJournal and "run" by a bunch of different people/companies: yahoo, microsoft, symantec, paypal, facebook and so on. It has also been available for years before google jumped in. There are many ways to authenticate as well, not just single password logins.

Here is an official list of recommended providers: http://openid.net/get-an-openid/

Re:What could go wrong?

[tibman]

I can't download the history, but i can view it all here: https://www.google.com/history/

Re:What could go wrong?

[Lennie]

And there is no Ironclad way to prevent tracking.

You would need to anonymize all webtraffic, remove features from browsers people actually use, make all browsers work exactly the same (which you can not or you will need to create a monopoly of one browser) and disobey the HTTP/1.1 RFC with things like the E-tag.

Re:What could go wrong?

[WrongSizeGlass]

Hi, my name is Anonymous Coward and I'm the average Slashdot poster.

Slashdot Anonymous meeting (in unison) : Hi, Anonymous Coward.

Re:What could go wrong?

[WrongSizeGlass]

Just an extension? Not core functionality? Meh.

released a “Do Not Track” extension for Chrome called Keep My Opt-Outs that blocks advertisements that are based on browser history.

So it blocks the advertisers people have 'opted-out' from? What about all the sneaky bastards that users a)don't know about or b)don't provide an opt-out option?

Google isn't necessarily Evil, but it has proven itself untrustworthy. They are the ones who benefit most from tracking, so I'm going to vote with my browser and email provider choices. I'm not bashing Google, but these days their actions have overshadowed their motto of Do No Evil.

Re:What could go wrong?

[modmans2ndcoming]

Right...they have even done studies where they found they can uniquely identify a PC with a high degree of certainty using only the data that is available as part of the HTTP headers. Sure...they do not know your name or anything, but who needs to know a name when they can simply see your behavior and advertise accordingly?

Re:What could go wrong?

[TheRaven64]

In a civil suit, the burden of evidence is 'the balance of probability'. If you can show that your browser sends the header if a particular setting is enabled and that you have enabled that setting, then the other party would have to show that it was not sent in a specific case, or provide some counter evidence. In a criminal case, the standard is 'beyond reasonable doubt', so they would just have to show that it was possible that it was not sent.

Re:What could go wrong?

[StripedCow]

Ok, but how do you show that the setting was not enabled _after_ the indictment? Or is there no such requirement?

Keepass

[Colin+Smith]

A typical web site password of mine:

1jVzaVAy9Xhfoc_eok0V49ld-

My banking passwords are of course more controlled, with far more specialised systems enforcing password strength to exactly 6 digit numerical characters. Clearly date of birth is the state of the art in banking security.