Slashdot Mirror
Google Working On Password Generator For Chrome
Trailrunner7 writes "Google is in the process of developing a tool to help users generate strong passwords for the various and sundry Web sites for which they need to register and authenticate. The password-generator is meant to serve as an interim solution for users while Google and other companies continue to work on widespread deployment of the OpenID standard. The tool Google engineers are working on is a fairly simple one. For people who are using the Chrome browser, whenever a site presents them with a field that requires creating a password, Chrome will display a small key icon, letting the users know that they could allow Chrome to generate a password for them."
http://xkcd.com/936/ Randall has it all sorted. Just use a whole lotta entropy.
I write professional videogame reviews! http://www.digitallydownloaded.net/
The problem I see is the increasing number of sites (eg. Sony's online game support sites) who "for security reasons" block browsers from auto-completing password fields. Which IMO actually decreases security, it increases the number of times a keylogger could see my password and it makes it harder to use high-difficulty (and difficult to remember) passwords.
You mean the Do Not Track list which is practically unenforceable? The one where the advertisers "do the right thing" and honor the users' request not to track them? Such an IRONCLAD defense against predatory advertisers should be the gold standard, shouldn't it?
The interesting thing about OpenID is that the vast majority of people who use it, don't even know that they're using it. When I added support for OpenID 2.0 to my website, I found that the vast majority of takeup was from people who pushed the "Log in with Google" button. There's nothing special about that button, it just automatically fills in the known OpenID for Google. There are buttons for AOL/AIM and Yahoo too, as well as the "enter your own openid" of course, but the vast majority of people who use it, are going with Google.
So you can safely ignore the naysayers who claim OpenID is dead and there wasn't any takeup. It's huge, it just didn't take the form most people imagined.
Tired of FB/Google censorship? Visit UNCENSORED!
Lets take your argument to its logical conclusion - somewhere inside of Google's secret evil HQ in the base of a volcano, Sergei and Larry are laughing maniacally, "Now we can login as everyone because we will know their passwords! MWAHAHAHA!" as they stroke their evil kittens with eyepatches.
Or realistically, that google would login as people and impersonate their accounts.
You can have my tinfoil hat, you need it more than me.
mov ah, 4ch
int 21h
I just don't get it. How will this help? It's not that people can't generate random paswords (see, here's one: !wef112SFAWffx9). It's just that they can't be bothered to even try to remember such things. People choose "1234" because they don't want to make the effort to remember long, complicated passwords. So what does this tool by google accomplish?
Now, the article is not clear about it, but I think there's gonna be a chrome-embedded tool to manage all passwords. While this is cool, kde and gnome already do it by default in ubuntu (and I assume in other distros that use them). I don't know about windows, but there should be one or two around. If there aren't (or if you really like chrome and wish to grant it control over your passwords), I just don't see how having a explorer-specific tool to manage passwords is a particularly good idea. A OS-wide password manager is much better, like the aforementioned kde and gnome implementations, because it works with whatever you're using, not just your choice of internet navigation software.
Here's an idea: make a piece of software that doesn't even try to create great random passwords that are very difficult to crack with a computer. Instead, make it create simple passwords that are just a string of dictionary words, easy to remember by a person, hard to guess by another person and, since it's a string of words (and not just the one), hard to crack with a computer.
Right cause the only thing google lets us get back in the form of our data from their services is EVERYTHING.
Name 1 thing bit of data that you've given to Google that they don't allow you to download them other than your ANONYMOUS search history.
You can't call it lock in when they give you a unencrypted well documented XML file with your data in it, moron. Thats what they do for all of their web services, you think they won't make an export feature for Chrome?
They don't need lock in. Instead of doing 'Lock In' they do 'Better than the competition' which is far more effective at retaining customers. You should look into it some time.
Of course, this new feature in order to be useful for lock in would have to diverge from the current feature of chrome that lets you look up previously stored passwords already.
Do you actually have any idea at all who or what you're talking about?
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
What's different from trusting the browser to store your passwords? All major browsers have been doing this for years. It's really not much different. If they wanted your passwords, they'd already have them (with or without storage.) This is about encouraging people to use different passwords for different sites. Yes, it is a security risk to trust your browser with your passwords. But I think using the same password for every site is a much bigger risk.
Let's take this argument to it's realisic conclusion - Google Chrome password lockin. What easy access to you web site, you better stick to using Chrome or else look forward to pen and paper copying 20 random characters, including numbers, letters, capitalisation and special chars, with different passwords for each and every site you connect to
Ctrl C
Ctrl V.
"I've got more toys than Teruhisa Kitahara."
I can see there being some kind of lock-in, albeit not the one you are talking about.
Random password generation is useless on its own. I can't even remember 20 random alphanumeric characters and I have a good memory.
What is required when you do that is a password vault of some kind. Plenty of software available to do this for you. Chrome will already remember your passwords, but I can see them syncing that with your Google profile. They might already, I don't use Google for anything religiously.
That could be the lock-in. All of your passwords are stored in the "Cloud" with Google. However, I am sure they would provide a secure export adhering to some standards (theirs) that other vendors could read (after circumnavigating some documentation more fucking complicated than the plans for the Death Star). Sorry, I do API programming for some Google products and I find their documentation a little lacking in some places and not well organized.
My biggest issue is with Open ID. I will never, ever, participate in a system where you authenticate with a company where you are not the user, but the product. That's not security. Regardless of whether it is Google, having all that authentication in one spot is a bad idea. One password to rule them all, One password to bind them all, and in the darkness where you fucking lose it you get bent over by some sociopath in Russia who will own your ass and use it to pay for Vodka and teenage Russian hookers.
Unless, I am explicitly told by a client, after they ignore all my recommendations, will I integrate a centralized authentication scheme. Just poor security, but others will disagree I am sure....
Ohhhh, I almost forgot :)
YouTube API was offline for over 3 hours yesterday. Got a ton of emails about it and I looked at the response code coming back and it was ServiceUnavailable. No problems with our system, from what I could tell from the logs. Calls just started working again a few hours later with no code changes.
So if I do integrate Open ID, what guarantees do I have that the service will reasonably be available? How do I tell a user that the reason they can't authenticate is because one of the largest companies in the world has products in perpetual beta for free and I can't complain because it is free?
Do you think any user that complained yesterday believed Google was at fault or our system? Seriously, why even bother sending out a service impact notification that people might not even believe. With just a few hours I let them think it was just a spike in our load and it took longer than normal to upload.
Already Exists: http://passwordmaker.org/
Google Chrome: http://passwordmaker.org/Google_Chrome
Google is the only holdout on Do Not Track. Every other major browser vendor has adopted.
Really?
Perhaps you should have Googled it before shooting your mouth off...
Google Releases “Do Not Track” Extension for Chrome
Google is announcing that they have released a “Do Not Track” extension for Chrome called Keep My Opt-Outs that blocks advertisements that are based on browser history. It hasn’t been made mandatory by any governments yet, but it’s been clear that ever since the Wall Street Journal’s series on how advertisers track user information on the web that this was going to happen.
Already the Chrome team has been testing an experimental feature that allows you to block all new third party cookies from being set. These pieces of information can travel with you and record information about your habits on the web. They are also useful for saving other information such as preferences and login information, but the marketing opportunities that can be taken advantage of with cookies is enough to make some people want to turn them off.
This extension solves that, as Google believes this is the correct way to ward of ad tracking.
http://www.thechromesource.com/google-releases-do-not-track-extension-for-chrome/
"I've got more toys than Teruhisa Kitahara."
Anyone who cares about having different passwords for different sites will already be using a password database manager such as KeePass. Most password database managers also have random password generators. This is Google's solution in search of a problem.
OpenID wasn't created by nor owned by google. It was created by LiveJournal and "run" by a bunch of different people/companies: yahoo, microsoft, symantec, paypal, facebook and so on. It has also been available for years before google jumped in. There are many ways to authenticate as well, not just single password logins.
Here is an official list of recommended providers: http://openid.net/get-an-openid/
http://soylentnews.org/~tibman
released a “Do Not Track” extension for Chrome called Keep My Opt-Outs that blocks advertisements that are based on browser history.
So it blocks the advertisers people have 'opted-out' from? What about all the sneaky bastards that users a)don't know about or b)don't provide an opt-out option?
Google isn't necessarily Evil, but it has proven itself untrustworthy. They are the ones who benefit most from tracking, so I'm going to vote with my browser and email provider choices. I'm not bashing Google, but these days their actions have overshadowed their motto of Do No Evil.
Right...they have even done studies where they found they can uniquely identify a PC with a high degree of certainty using only the data that is available as part of the HTTP headers. Sure...they do not know your name or anything, but who needs to know a name when they can simply see your behavior and advertise accordingly?