Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Announces "Password Alert" To Protect Against Phishing Attacks

Posted by samzenpus on from the protect-ya-neck dept.

HughPickens.com writes: Google has announced Password Alert, a free, open-source Chrome extension that protects your Google Accounts from phishing attacks. Once you've installed it, Password Alert will show a warning if you type your Google password into a site that isn't a Google sign-in page. This protects you from phishing attacks and also encourages you to use different passwords for different sites, a security best practice. Once you've installed and initialized Password Alert, Chrome will remember a "scrambled" version of your Google Account password. It only remembers this information for security purposes and doesn't share it with anyone. If you type your password into a site that isn't a Google sign-in page, an alert will tell you that you're at risk of being phished so you can update your password and protect yourself.

76 comments

  1. Wait.. by Etherwalk · · Score: 1

    Why would you update your password because of a *failed* phishing attempt?

    1. Re:Wait.. by Anonymous Coward · · Score: 5, Informative

      Because telling you as you're typing your password into a phishing page is already too late. Javascript key logging anyone?

    2. Re:Wait.. by Etherwalk · · Score: 2

      Ah! Yes, that makes sense if it's only catching the page by your having entered the password.

  2. Funny by ArcadeMan · · Score: 4, Funny

    Google warning us about other people trying to get our informations.

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:Funny by Anonymous Coward · · Score: 0

      He's a patsy, but he's my patsy.

    2. Re:Funny by Chalnoth · · Score: 2

      Google might show you ads that could entice you to buy something you might not otherwise buy.

      Phishers might steal your account and, if you have Google Wallet attached, might use your account to spend money. Or they might use your e-mail to gain access to other accounts (e.g. bank accounts).

    3. Re:Funny by Anonymous Coward · · Score: 0

      So, pyschological manipulation to relieve you of your money, or psychological manipulation to relieve you of your money.

      When everyone was worshipping a sky fairy, it was assumed normal to do so and ridiculous not to, but modern commercial propaganda is just as ridiculous and has exactly the same aim: making people willingly give their money over to people with very much money already.

      At least the phishing involves a single trick and can be nipped in the bud after a single event. It is more honest than advertising.

  3. Password by turkeydance · · Score: 1

    Allen Ludden...what a retro trip...how quaint.

  4. Chrome will remember a "scrambled" version by SoCalChris · · Score: 4, Insightful

    It's sad how far Slashdot has fallen.

    1. Re:Chrome will remember a "scrambled" version by Anonymous Coward · · Score: 3, Insightful

      It's sad how smugly superior the tech nerds are here.

    2. Re:Chrome will remember a "scrambled" version by Anonymous Coward · · Score: 1

      It's sad that non-tech people waste their time visiting a site advertising itself as "news for nerds" and then complain when someone wants the site to cater to nerds.

    3. Re:Chrome will remember a "scrambled" version by Okian+Warrior · · Score: 4, Funny

      It's sad how far Slashdot has fallen.

      It's sad how smugly superior the tech nerds are here.

      It's sad that non-tech people waste their time visiting a site advertising itself as "news for nerds" and then complain when someone wants the site to cater to nerds.

      It's sad how entire families can be torn apart by something as simple as wild dogs.

    4. Re:Chrome will remember a "scrambled" version by thegarbz · · Score: 2

      Yeah how dare they faithfully quote an article.

    5. Re:Chrome will remember a "scrambled" version by Em+Adespoton · · Score: 2

      ...when they could have instead used a more succinct summary aimed at nerds, or, picked a different source document. I mean, this doesn't even tell us what hash algorithm is used to "scramble" our locally stored passphrase.

      What I'd really like to see is a keychain helper (listening, Apple, onepass, etc?) that keylogs browser forms and performs this function against ANY password stored in the keychain. I mean, I've already got a keychain full of password/uri pairs -- why not do this with it as well?

      The downside of course is that said helper would have to have full read access to the hashed keychain -- which while not a huge security issue, still could leak data like what uris you have stored in the keychain.

    6. Re:Chrome will remember a "scrambled" version by Anonymous Coward · · Score: 0

      But don't you understand... making a site catering to nerds is racist and sexist because all nerds are white and male. It has to be stopped.

    7. Re:Chrome will remember a "scrambled" version by amias · · Score: 4, Insightful

      hmm , how do i find passwords on this computer...

      lets start typing random strings into a password field until this plugin tells me which is the google password.

      yay , now i can log in to their google account first time !

      this is almost as silly as those things that validate your bank cards pin for online banking that let
      muggers force you to disclose your pin in a way that the banking system couldn't possibly no.

      i really hope this isn't going to be installed on mobile phones

      --
      [site]
    8. Re:Chrome will remember a "scrambled" version by gsslay · · Score: 2

      It's quoting TFA.

      I'm hoping that's just Google simplifying for the common end user and it is using some kind of encryption. But who knows?

    9. Re: Chrome will remember a "scrambled" version by Anonymous Coward · · Score: 0

      Since when is this a nerd site?

    10. Re:Chrome will remember a "scrambled" version by Anonymous Coward · · Score: 0

      Now that is actually sad. The rest of the crying is just 1st world problem stuff.

    11. Re:Chrome will remember a "scrambled" version by unrtst · · Score: 1

      It's sad how far Slashdot has fallen.

      It's sad how smugly superior the tech nerds are here.

      It's sad that non-tech people waste their time visiting a site advertising itself as "news for nerds" and then complain when someone wants the site to cater to nerds.

      It's sad how entire families can be torn apart by something as simple as wild dogs.

      They should have used Google Dog Alert. The scrambled version of the dogs, while disturbing, are not capable of tearing anything apart.

  5. scrambled eh? by Anonymous Coward · · Score: 0

    Why bother scrambling when we already know that chrome puts saved passwords in a clear text unencrypted text file?

    1. Re:scrambled eh? by dunkindave · · Score: 0

      Why bother scrambling when we already know that chrome puts saved passwords in a clear text unencrypted text file?

      Because those passwords are stored with the explicit permission of the user, and because they need to be accessible so they can be used to fill in forms. On the other hand, to simply check if you have typed the Google password doesn't need the clear text password, so best practice says it should be hashed, err, I mean scrambled.

    2. Re:scrambled eh? by tepples · · Score: 2

      Then why isn't Chrome's list of saved non-Google passwords encrypted in a way that only Chrome can decrypt, such as with a key derived from the user's Google account password?

    3. Re:scrambled eh? by suutar · · Score: 1

      because they didn't want to bundle a password manager when you can add one as a plugin?

  6. Put on the popcorn by vux984 · · Score: 2

    Put on the popcorn and wait for the fireworks show that arises when people who use the same password they use for google on other sites.

    Still its an interesting idea, that might be usable in a general purpose extension that maintains hashes and URLs and then hashes every input box and compares it to the databse / urls -- and if it finds a hash match but the URL is wrong throw up an alert.

    Way more useful than a google only one that only works in chrome and only when you are signed in.

    1. Re:Put on the popcorn by ShanghaiBill · · Score: 2

      Put on the popcorn and wait for the fireworks show that arises when people who use the same password they use for google on other sites.

      The intersection of the set of people that care about security enough to install this extension, yet don't care enough to use unique passwords, is probably rather small. When there is a problem, they could do the stupid thing and uninstall the extension, or they could do the smart thing, and start using unique passwords. Either way, there would be no need for fireworks.

      Still its an interesting idea, that might be usable in a general purpose extension that maintains hashes and URLs and then hashes every input box and compares it to the databse / urls -- and if it finds a hash match but the URL is wrong throw up an alert.

      Yes, making this work for all password protected sites, rather than Google-only, would be nice. That would not only stop many phishing attempts, but would also discourage cross-site password reuse.

    2. Re:Put on the popcorn by Bing+Tsher+E · · Score: 2

      But it's none of Google's business what I use as a password on other sites. Not that I use Chrome except at work where it's required.

    3. Re:Put on the popcorn by ewibble · · Score: 2

      people will still use the same password even with this tool, because they are lazy.

      instead of "password" for all sites they will use password.google or something similar to bypass this and the passwords will still be fished

    4. Re: Put on the popcorn by Anonymous Coward · · Score: 0

      More interesting if they just expose an api for any other software to access.

      I do not trust chrome to protect my privacy.

    5. Re:Put on the popcorn by ShanghaiBill · · Score: 1

      But it's none of Google's business what I use as a password on other sites.

      Google doesn't need to know your passwords. They only need to know a one-way hash. But if you are too paranoid to even allow them to keep a hash, there is a simple solution: Don't install the extension.

    6. Re:Put on the popcorn by vux984 · · Score: 3, Interesting

      The intersection of the set of people that care about security enough to install this extension, yet don't care enough to use unique passwords, is probably rather small

      Fair enough. Still...

      "Password Alert is also available to Google for Work customers, including Google Apps and Drive for Work. Your administrator can install Password Alert for everyone in the domains they manage, and receive alerts when Password Alert detects a possible problem."

      The intersection of administrators who might think its a good idea with end users that use the same password on other sites might be large enough to be at least a little bit fun.

      Yes, making this work for all password protected sites, rather than Google-only, would be nice. That would not only stop many phishing attempts, but would also discourage cross-site password reuse.

      Yeah, if it were integrated with something like password safe or password gorilla or keypass etc.

      Or I suppose it could be tied into the A/V products which already have anti-phishing extensions -- McAfee for example, already has a password safe and antiphishing ... seems almost a no-brainer for them to integrate them in this way. The password safe component could dump a list of hashes and domain names and if you try entering a password that matches the hash throw up an alert. And then maybe flag the page for A/V's phishing lists so if a page is generating alerts like crazy visitors it can be blacklisted -- preventing other users from even reaching the domain/phishing page.

    7. Re: Put on the popcorn by Anonymous Coward · · Score: 0

      They don't need to bypass anything. They just don't install the extension.

    8. Re:Put on the popcorn by vux984 · · Score: 3, Interesting

      Your criticism amounts to "If it doesn't completely solve the problem for everybody its no good." and that is false.

      Yes some will switch to various simple password patterns t.password for twitter... f.password for facebook... or maybe fb.password... etc. That's still an improvement. Even simple patters require some effort to break.

      Some fraction will use a harder patterns that aren't immediately obvious. That's an improvement. Lets say my password is "stupidgdog" for google. Maybe your automated phishing tools will try stupidfdog on facebook... but maybe not.

      Some fraction will use a slightly harder pattern.

      Lets say I use stupidgHdog as my google password. My new pattern is still simple. its "stupid" + "first name of domain" + "next letter in alphabet capitalized" + "dog"

      With just one sample, are you really sure your automated phishing tools going to figure out that facebook is: stupidfGdog ? And twitter its stupidtUdog?

      And that's still pretty lazy as passwords go.

      Some smal fraction will take the hint and use much harder patterns. That will take several fished passwords for the user and probably some human eyes to figure out. This is an improvement.

      Lets say my google password is: C69.7Germanium what's my facebook password?

      Here... I give you twitter on this pattern too: N47.8Vanadium.
      With 2 samples passwords you've got enough of a pattern to try and brute force it... letter + 3 digits + element... 26* 1000 * 118... 2.6 million passwords to try.

      Very doable if its a targeted search on a particular user... but your probably not going to spend the time looking at each fished password and then write a script to do that specific search... for just one random user. Probably.

      And some fraction of people will switch to using a password safe or something, and thats an improvement too.

    9. Re:Put on the popcorn by sexconker · · Score: 1

      Fuck it, I'm making popcorn tonight.

    10. Re:Put on the popcorn by Nemyst · · Score: 2

      For what it's worth, LastPass will already warn you if a password is reused across two different domains. You need to explicitly set a list of equivalences if two domains share the same backend, for example.

    11. Re:Put on the popcorn by Noah+Haders · · Score: 1

      But is google constantly scanning all the text I enter into webpages, even text into a https page? That seems wrong and scary.

    12. Re:Put on the popcorn by suutar · · Score: 1

      O19.0Neon

      But no way in hell I'd have an automatic pattern generator rigged to try that.

    13. Re:Put on the popcorn by vux984 · · Score: 1

      O19.0Neon

      Good solve! :) Strictly speaking, it would have been O18.9Neon as I was truncating rather than rounding atomic weights.

      But no way in hell I'd have an automatic pattern generator rigged to try that.

      That was my thought too. And even that algorithm was relatively simple; requiring the user memorize just a couple simple rules and either know the periodic table; or have ready access to one (which is trivial) in the event he needs to "regenerate" a forgotten password.

      I -used- to use techniques in the same general category as this for password generation... but after a few breaches and other forced password change situations it became irritating because I could no longer use the password the 'system' generated with some sites. I switched to using a password manager with random passwords on most sites.

      I still use a 'system' for some sites I use regularly and/or have to enter the p/w manually instead of being able to use copy/paste.

      I memorize a simple password for each and then some apply some ciphers and transformations to it. So losing one to a phish isn't a threat to the rest, and I can change it easily since it isn't based soley on the domain name.

      But it's only suitable for a smallish number of sites; since I still have to remember a basic password.

      And honestly, at this stage I feel the so-called security questions (that anyone who knows you can answer) with email or SMS recovery mechanisms are the weakest link. As these are both fairly easy to intercept; especially if you know the target.

    14. Re:Put on the popcorn by swillden · · Score: 1

      Some Javascript downloaded from Google scans all the text you enter, hashes it, and compares it with a locally-stored hash. It doesn't send any of what you type anywhere off your machine. Not wrong, or scary, and it's all open source so you can verify what it's doing. For that matter, you can use the Chrome dev tools to set breakpoints and step through it.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  7. Why an extension? by Anonymous Coward · · Score: 0

    They should just bundle this into their browser.. seriously.

  8. "scrambled" version by NotInHere · · Score: 5, Informative

    Can you please stop with this plebs speak? This is a site for nerds, not for non-technical people. Say "hash" when you mean "hash". I mean is researching actual technical info so hard? For everyone not wanting to click links: its comparing the first 37 bits of the hash, using the SHA-1 hash mechanism. And yes its salted.

    1. Re:"scrambled" version by turkeydance · · Score: 1

      short answer: no.

    2. Re:"scrambled" version by Anonymous Coward · · Score: 1

      The word "scrambled" is a direct quote from the google blog post the story links to.

    3. Re:"scrambled" version by Anonymous Coward · · Score: 1

      So basically, Google is giving you access to their hash, salt, and saying "Enjoy unlimited cracking attempts at this password offline, evildoers!" Thanks Google!

    4. Re:"scrambled" version by xxxJonBoyxxx · · Score: 4, Informative

      >> So basically, Google is giving you access to their hash, salt, and saying "Enjoy unlimited cracking attempts...

      Not exactly. The 37-bit version is just less than 25% of the full 160-bit SHA-1 so, as the source mentions (https://raw.githubusercontent.com/google/password-alert/master/SECURITY.md) the intent is to keep enough of the password to tell when the same password has been tried twice, but not enough of the hash to allow someone to authoritatively crack it. (I hope - haven't seen the proof of 37-is-the-right-number yet.)

      This isn't the first time someone's used hashes with high collision rates to see if the same passwords are being tried without actually storing enough of a hash to flag the password. See this article for a different example (trying to tell badly configured clients from brute forcing attempts): http://www.filetransferconsult...

    5. Re:"scrambled" version by thegarbz · · Score: 2

      I would rather a faithfully quoted news article then someone try and come up with some meaning that isn't there. Slashdot is not a news site, it's an aggregator. It doesn't publish news, it publishes links to news and when it does I am happier knowing that parts of the article are quoted accurately.

      Every time we let the editors off the rails to form their own opinions on subjects it turns out badly for readers.

    6. Re:"scrambled" version by Anonymous Coward · · Score: 0

      Except this is enough for dictionary attacks, for which collisions are much more rare, as the password has to make some sense, instead of just being random characters.

      For example, if "12345" has a SHA-1 which matches the 37-bit stored hash, there is a much higher chance that the password is indeed "12345" instead of "U8#k%*dKQl"...

    7. Re:"scrambled" version by oodaloop · · Score: 1

      Bingo. Additionally, every slashdaughter who knows what hashing is realized that's what they meant by "scrambled". So big deal, TFS doesn't say which hash they use.

      --
      Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
    8. Re:"scrambled" version by danomac · · Score: 1

      What?? No pepper?

    9. Re:"scrambled" version by Anonymous Coward · · Score: 0

      It seems if you can get 25% match on a hash, it is very very unlikely that you've gotten the wrong password. Certainly you could use it to narrow your options down to two or three reasonably good attempts at a live system. And SHA-1 instead of bcrypt/scyrpt? They're basically giving your password out. I'll be moving off gmail now.

    10. Re:"scrambled" version by Anonymous Coward · · Score: 0

      I know what cryptographic hashing is. I don't know what "scrambling" is. I literally thought it was a character shuffle (think anagram) from TFS.

    11. Re:"scrambled" version by Obfuscant · · Score: 1
      The problem I have with the /. summaries is that they are missattributed. For example, in this /. article, the claim is:

      mrflash818 writes:

      immediately followed by a verbatim copy of a NOAA press release. Now, I don't have evidence that "mrflash818" is not the author of that press release, but the chances are unlikely. It would not be hard to find many many other examples where the quoted material has a byline that doesn't match the "xxx writes" attribution.

      Please, attribute the true author and leave the handles and nics and pseudonyms out of it.

  9. So like the cops... by tlambert · · Score: 1

    So like the cops... it shows up only after the crime has been committed, and only protects some of the population (Google passwords) and not the rest of the population (e.g. your banking password isn't protected, because it's not a Google site).

    Seems slightly less than useful.

    1. Re:So like the cops... by swillden · · Score: 3, Informative

      So like the cops... it shows up only after the crime has been committed, and only protects some of the population (Google passwords) and not the rest of the population (e.g. your banking password isn't protected, because it's not a Google site).

      Seems slightly less than useful.

      I disagree.

      If you use Gmail as your primary e-mail then your Google password is the crown jewel of your online identity, since every other site out there (including your bank) uses e-mail as the password reset channel. Sure it might be nice if the tool were more general-purpose (though that would require changing the hashing strategy, which intentionally uses relatively few bits as a security measure to protect against brute force), but if you can protect only one password, your e-mail password is the one.

      For people who use not just Gmail but lots of Google services, it's even more critical. I store lots of important stuff in Drive, have my phone report my exact location, have my whole address book synced, etc., etc. It doesn't concern me to have so many eggs in one basket because I trust Google to maintain good security, but it can only be as good as my authentication. I use 2FA, but there's still value in being careful with such an important password.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  10. Obligatory xkcd by Anonymous Coward · · Score: 0

    https://xkcd.com/792/

  11. Password managers make this unnecessary by windyweather · · Score: 1

    Seems to me that if you use a password manager - LastPass among others - then this is unnecessary. I never type my password. and if I'm phished, then the site won't match the password manager entry and won't be filled in. So, google would have been better off allowing / providing a good password manager rather than this half measure that only sees it after the fact rather than preventing you from entering it in the first place. Personally, I'm waiting for SQRL that will eliminate the need for passwords altogether. https://www.grc.com/sqrl/sqrl.... -ww

    1. Re:Password managers make this unnecessary by Anonymous Coward · · Score: 0

      Password managers mitigate against this to some degree by allowing you to have a separate password for each site but they don't completely protect you from phishing. You could still be tricked into auto-typing your [Favorite Site] password into a phishing site if they've got the page looking good enough and the titlebar is a close enough match to the glob string in your auto-type-window matching. If you do get phished at least the damage is limited to the site that was compromised.

      I get around this by having a Greasemonkey script that injects the hash of the document.location.host into the title bar (since it's craploads easier than trying to retrieve SSL certificate attributes) and then match on that in the auto-type-window string. If the attackers gone as far is MITMing an SSL/TLS login page then there's not a heck of a lot you can do.

    2. Re:Password managers make this unnecessary by Anonymous Coward · · Score: 0

      I use a password manager - for the passwords that I never use. Either because they are for pages that I only visit once a year, or because they are for some program with a remember function (such as Steam).

      For the ones I use often, a password manager is too much trouble (start browser, open page, start password manager, copy password, paste password in password field).

  12. Obligatory bash.org by Qzukk · · Score: 1

    If you type your Google password into some other website with this feature enabled, it automatically turns it into asterisks like this: *******

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  13. Ignore other auth holes by grilled-cheese · · Score: 1

    Ignore the fact that a Google Apps domain can use their own SAML SSO solution to effectively replace the Google signin page. This means that their new anti-phishing plugin would be rendered useless. Additionaly if this is used on a domain, it also bypasses their two-factor authentication mechanism (even if you set it up).

  14. Sweet! by Anonymous Coward · · Score: 1

    Now if I get a foothold on your machine, I can run a hidden browser window pointed at my own server and start feeding random passwords into a form until the browser alert tells me I guessed correctly.

  15. Why an extension? by Begemot · · Score: 3, Insightful

    Users who are savvy enough to find and install this extension are less likely to fall for phishing.
    Users who may fall for phishing may not hear about the extension or do not know how to install it.
    Why not build it in the browser itself?

  16. Rube Goldberg by Anonymous Coward · · Score: 0

    It's Rube Goldbergs all the way down!

    First, you download random Javascript off the 'net, hope for the best and *execute that crap on your machine*. Voluntarily.

    Then you have some other built-in, more complex piece of code that tries to tipp you off that this random Javascript is trying to do something nasty.

    Then there is this other randomly downloaded Javascript that thinks that you are trying to free-ride the valuable service of this website by looking away when the ads pop up.

    Then...

    what could possibly go wrong?

    (still pissed off at Mozilla because they took away the simple "disable Javascript" checkbox with some weak pretext sounding like "our users are idiots" or something).

  17. "password" and "123456" dethroned by advantis · · Score: 1

    So now people will have passwords like this:

    google_password
    tinder_password
    linkedin_password
    facebook_password

    instead of just "password"

    I think at this point using a Google Authenticator generated code _as_ the password should be enough. It removes the user from the process of creating a "correct horse battery staple" password. It makes the authentication pretty much on par with SSH key authentication (you have a private key, Google has the public part, you generate a code that demonstrated that you have the correct key). I'd like to see phishing sites ask you for your private key, as see how many morons are out there who would actually jump through the hoops of obtaining that key from their phones and pasting it to the phisher, 'cause hey, "a million Nigerian dollars is a lot of money".

    --
    Question for religious people: where do unrepentant masochists go when they die?
    1. Re:"password" and "123456" dethroned by Anonymous Coward · · Score: 0

      I think at this point using a Google Authenticator generated code _as_ the password should be enough. It removes the user from the process of creating a "correct horse battery staple" password. It makes the authentication pretty much on par with SSH key authentication (you have a private key, Google has the public part, you generate a code that demonstrated that you have the correct key).

      ...except Google Authenticator uses TOTP, which generates the code using a shared secret, not a public/private keypair...

  18. Google is on to something here by dskoll · · Score: 3, Interesting

    Google is on to something, but the implementation is wrong. First of all, this facility should be built in to browsers, not added as an extension. Secondly, it needs to be generalized: Just as browsers currently ask "Would you like to save this username/password for www.somesite.example", they should also ask "Would you like to lock this username/password combination to www.somesite.example?" and offer the usual "Yes / No / Not now" choices.

    If you say "Yes", then the browser should alert you every time it sees that password on a different site.

  19. Keylogger by in10se · · Score: 1

    Sounds like Google wants you to install a keylogger for your safety.

    --
    Popisms.com - Connecting pop culture
    1. Re:Keylogger by swillden · · Score: 1

      RTFA. It doesn't log keystrokes, and doesn't send anything off your machine.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    2. Re:Keylogger by in10se · · Score: 1

      You describe the process in another comment as "Some Javascript downloaded from Google scans all the text you enter..." Oh, now I get it. So it doesn't log your keystrokes, it just monitors all the text you type. Thanks for the distinction.

      --
      Popisms.com - Connecting pop culture
    3. Re:Keylogger by swillden · · Score: 1

      You describe the process in another comment as "Some Javascript downloaded from Google scans all the text you enter..." Oh, now I get it. So it doesn't log your keystrokes, it just monitors all the text you type. Thanks for the distinction.

      What do you mean by "monitors"? It monitors the text you type in exactly the same way that your web browser does, or your keyboard, for that matter. That is, it performs local computations on your keystrokes. Your web browser takes the additional step (sometimes) of sending network messages if you type certain things. In that way, the password alert extension is different, because it never does that.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  20. "sign in with" by Anonymous Coward · · Score: 0

    Suppose I visit another site that offers to let me "sign in with" my Google account. Will this extension check for a man-in-the-middle attack? I.e., confirm that my password is really going to Google and will not be exposed to the site I'm visiting? Or is the whole "sign in with" process hopelessly insecure?

  21. Reversible or hash? by tepples · · Score: 1

    Additionally, every slashdaughter who knows what hashing is realized that's what they meant by "scrambled".

    "Scrambled" can also mean reversibly encrypted, as in the Content Scrambling System used with DVD Video.

  22. Relying party doesn't see OpenID password by tepples · · Score: 1

    If you "sign in with your Google account" on some website, you're using OpenID Connect. This takes you to a Google page, you give your password to Google, and then Google sends an OAuth 2 token representing your account back to the relying party and redirects you to the relying party's website. The relying party never sees your Google password.

  23. False sense of security in PW mgr by tepples · · Score: 1

    because they didn't want to bundle a password manager when you can add one as a plugin?

    They bundled one, an insecure one. It provides a false sense of security in the same sense that a self-signed HTTPS certificate provides a false sense of security.

  24. a phiser won't wait for me to hit enter by iceco2 · · Score: 1

    If I start typing my password the site can collect it as I type. By the time I'm done it is too late.