Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Working On Password Generator For Chrome

Posted by Soulskill on from the 123456-letmein-hunter2 dept.

Trailrunner7 writes "Google is in the process of developing a tool to help users generate strong passwords for the various and sundry Web sites for which they need to register and authenticate. The password-generator is meant to serve as an interim solution for users while Google and other companies continue to work on widespread deployment of the OpenID standard. The tool Google engineers are working on is a fairly simple one. For people who are using the Chrome browser, whenever a site presents them with a field that requires creating a password, Chrome will display a small key icon, letting the users know that they could allow Chrome to generate a password for them."

10 of 175 comments (clear)

  1. One small problem... by Todd+Knarr · · Score: 5, Insightful

    The problem I see is the increasing number of sites (eg. Sony's online game support sites) who "for security reasons" block browsers from auto-completing password fields. Which IMO actually decreases security, it increases the number of times a keylogger could see my password and it makes it harder to use high-difficulty (and difficult to remember) passwords.

  2. Re:What could go wrong? by Aerorae · · Score: 4, Insightful

    You mean the Do Not Track list which is practically unenforceable? The one where the advertisers "do the right thing" and honor the users' request not to track them? Such an IRONCLAD defense against predatory advertisers should be the gold standard, shouldn't it?

  3. OpenID by IGnatius+T+Foobar · · Score: 4, Informative

    The interesting thing about OpenID is that the vast majority of people who use it, don't even know that they're using it. When I added support for OpenID 2.0 to my website, I found that the vast majority of takeup was from people who pushed the "Log in with Google" button. There's nothing special about that button, it just automatically fills in the known OpenID for Google. There are buttons for AOL/AIM and Yahoo too, as well as the "enter your own openid" of course, but the vast majority of people who use it, are going with Google.

    So you can safely ignore the naysayers who claim OpenID is dead and there wasn't any takeup. It's huge, it just didn't take the form most people imagined.

    --
    Tired of FB/Google censorship? Visit UNCENSORED!
  4. Re:What could go wrong? by liquidweaver · · Score: 4, Insightful

    Lets take your argument to its logical conclusion - somewhere inside of Google's secret evil HQ in the base of a volcano, Sergei and Larry are laughing maniacally, "Now we can login as everyone because we will know their passwords! MWAHAHAHA!" as they stroke their evil kittens with eyepatches.

    Or realistically, that google would login as people and impersonate their accounts.

    You can have my tinfoil hat, you need it more than me.

    --
    mov ah, 4ch
    int 21h
  5. Re:xkcd by Sigma+7 · · Score: 5, Insightful

    Randall uses four words, not one. Even if you use a small word list of 5000 words (and TWL has much more words), that's 6.25 *10^14 combinations. It's still a few times stronger than a 8-character random alphanumeric which has ~2.81*10^14 combinations.

    And if you go with the full TWL, you need at least 12 characters in the random alphanumberic to even be as strong as the 4-word passphrase.

    It's only less secure in the sense that a similarly sized alphanumeric has more possible combinations - which is not being compared.

  6. Re:What could go wrong? by MisterMidi · · Score: 5, Insightful

    What's different from trusting the browser to store your passwords? All major browsers have been doing this for years. It's really not much different. If they wanted your passwords, they'd already have them (with or without storage.) This is about encouraging people to use different passwords for different sites. Yes, it is a security risk to trust your browser with your passwords. But I think using the same password for every site is a much bigger risk.

  7. Re:What could go wrong? by ozmanjusri · · Score: 5, Funny

    Let's take this argument to it's realisic conclusion - Google Chrome password lockin. What easy access to you web site, you better stick to using Chrome or else look forward to pen and paper copying 20 random characters, including numbers, letters, capitalisation and special chars, with different passwords for each and every site you connect to

    Ctrl C
    Ctrl V.

    --
    "I've got more toys than Teruhisa Kitahara."
  8. Already Exists: http://passwordmaker.org/ by JakFrost · · Score: 5, Informative

    Already Exists: http://passwordmaker.org/
    Google Chrome: http://passwordmaker.org/Google_Chrome

    The Problem

    If you're like most people, you have a few passwords that you use over and over again on many different websites. You know this isn't secure, yet you do it anyway. Why? Because it's difficult to remember a unique password for each and every web site that requires one.
    Existing Solutions

    Maybe you do use unique passwords, and get around the problem of remembering them by storing them in a spreadsheet or other file. Maybe you even use one of the many password managers that are available. But now you've centralized your passwords and access to them becomes difficult while at work, a friend's computer, or a public internet terminal. You can't get to your passwords without carrying them around or publishing them on the internet. Some people even carry a USB keychain with their passwords wherever they go. How inconvenient. And publishing them on the internet? Yikes! We need not even mention the security risks inherent with that solution. Even if you trust the company storing the passwords, you can be sure every hacker in the world is drooling over the prospect of accessing their database (Like the LastPass break in of May, 2011 LastPass Announcement).

    Our Solution

    PasswordMaker solves all of these issues. It is a small, lightweight, free, open-source tool for Internet Explorer, Firefox, Google Chrome, iPhone, Opera, PHP, Windows, OS/X, Linux, Flock, Yahoo! Widgets, Android, Python, and many other platforms & systems. It creates unique, secure passwords that are very easy for you to retrieve but no one else. Nothing is stored anywhere, anytime, so there's nothing to be hacked, lost, or stolen. PasswordMaker has been around since about 2003 and so is a mature, stable, popular solution.
    How It Works

    Warning - technical jargon in this section!

    You provide PasswordMaker two pieces of information: a "master password" -- that one, single password you like -- and the URL of the website requiring a password. Through the magic of one-way hash algorithms, PasswordMaker calculates a message digest, also known as a digital fingerprint, which can be used as your password for the website. Although one-way hash algorithms have a number of interesting characteristics, the one capitalized by PasswordMaker is that the resulting fingerprint (password) does "not reveal anything about the input that was used to generate it." 1. In other words, if someone has one or more of your generated passwords, it is computationally infeasible for him to derive your master password or to calculate your other passwords. Computationally infeasible means even computers like this won't help!

    What About Portability?

    For times when you must use one of the rare platforms to which PasswordMaker hasn't been ported, or are using a system where you can't install any software, there's an online version which mimics the extension and works in all web browsers new and old. No downloads or installations are required.

  9. Re:What could go wrong? by ozmanjusri · · Score: 5, Informative

    Google is the only holdout on Do Not Track. Every other major browser vendor has adopted.

    Really?

    Perhaps you should have Googled it before shooting your mouth off...

    Google Releases “Do Not Track” Extension for Chrome
    Google is announcing that they have released a “Do Not Track” extension for Chrome called Keep My Opt-Outs that blocks advertisements that are based on browser history. It hasn’t been made mandatory by any governments yet, but it’s been clear that ever since the Wall Street Journal’s series on how advertisers track user information on the web that this was going to happen.
    Already the Chrome team has been testing an experimental feature that allows you to block all new third party cookies from being set. These pieces of information can travel with you and record information about your habits on the web. They are also useful for saving other information such as preferences and login information, but the marketing opportunities that can be taken advantage of with cookies is enough to make some people want to turn them off.
    This extension solves that, as Google believes this is the correct way to ward of ad tracking.

    http://www.thechromesource.com/google-releases-do-not-track-extension-for-chrome/

    --
    "I've got more toys than Teruhisa Kitahara."
  10. Re:What could go wrong? by WrongSizeGlass · · Score: 4, Interesting
    Just an extension? Not core functionality? Meh.

    released a “Do Not Track” extension for Chrome called Keep My Opt-Outs that blocks advertisements that are based on browser history.

    So it blocks the advertisers people have 'opted-out' from? What about all the sneaky bastards that users a)don't know about or b)don't provide an opt-out option?

    Google isn't necessarily Evil, but it has proven itself untrustworthy. They are the ones who benefit most from tracking, so I'm going to vote with my browser and email provider choices. I'm not bashing Google, but these days their actions have overshadowed their motto of Do No Evil.