Google Working On Password Generator For Chrome 175
Trailrunner7 writes "Google is in the process of developing a tool to help users generate strong passwords for the various and sundry Web sites for which they need to register and authenticate. The password-generator is meant to serve as an interim solution for users while Google and other companies continue to work on widespread deployment of the OpenID standard. The tool Google engineers are working on is a fairly simple one. For people who are using the Chrome browser, whenever a site presents them with a field that requires creating a password, Chrome will display a small key icon, letting the users know that they could allow Chrome to generate a password for them."
xkcd (Score:4, Insightful)
Re: (Score:2)
It works, and works well. My SSID login is 27 characters and I can remember it without a problem. My secondary password after I use my RSA token? Usually 3 tries before I remember because we have a password policy of upper/lower case mixed with alpha-numerics, which must be between 8 and 30 characters in length. We change these every 18 days.
Brain...hurts...especially for someone with very poor short and medium term memory problems. Of course it's an automatic disciplinary issue if you write any of th
Re: (Score:2)
The math is SOOOOOOOOOO wrong it isn't even funny.
The alpha cap and lower case letters gives you 52 bits....then you add the numbers.....that is 10 more to the total...then the special characters and punctuation (he used an &).. another 30.... so the total bits are 92.
so for 11 characters.....11*2^92 = 54469361728556732095561465856 possible combinations for the pass word length.
1000 guesses a second means it will take 863,606,064,950,480,912 years mean time to brute force that password. (50% chance of
Re: (Score:2)
The math is SOOOOOOOOOO wrong it isn't even funny.
The alpha cap and lower case letters gives you 52 bits....then you add the numbers.....that is 10 more to the total...then the special characters and punctuation (he used an &).. another 30.... so the total bits are 92.
so for 11 characters.....11*2^92 = 54469361728556732095561465856 possible combinations for the pass word length.
1000 guesses a second means it will take 863,606,064,950,480,912 years mean time to brute force that password. (50% chance of guessing the password before the end of the list of possibles)
increasing the guess rate by 25 orders of magnitude would weaken the password considerably, but it would still be pretty good at 863 years.
You are of course referring to the "math" following your initial statement, right? And it was sarcastic, right? I hope . . .
Re:xkcd (Score:5, Insightful)
Randall uses four words, not one. Even if you use a small word list of 5000 words (and TWL has much more words), that's 6.25 *10^14 combinations. It's still a few times stronger than a 8-character random alphanumeric which has ~2.81*10^14 combinations.
And if you go with the full TWL, you need at least 12 characters in the random alphanumberic to even be as strong as the 4-word passphrase.
It's only less secure in the sense that a similarly sized alphanumeric has more possible combinations - which is not being compared.
Re: (Score:3)
...and that's assuming people will use english words, which is probably try only for native English speakers without a second language. A dictionary would roughly double in size (yet another bit of entropy) for each additional potential language.
Re: (Score:2)
Of course one should avoid common phrases as well. I'd expect "robots in disguise" to fa
Re: (Score:2)
But Munroe's concept is irrelevant.
Yes, it's certainly true that you can get significant entropy from a multi-word phrase (BTW, Munroe assumed a 2048-word dictionary), and that it will be easier to remember than comparable entropy from a random character string. But low-entropy passwords are only part of the problem, and the smaller part. The bigger part is password reuse. The majority of people use the same password for their slashdot account, their bank account and everything in between. Some more s
Re:xkcd (Score:4, Interesting)
Really, Slashdot? 4, Insightful for a comment that has no idea what it's talking about? All you need to do is read the Wikipedia article you link to:
Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), single words found in dictionaries or simple, easily-predicted variations on words, such as appending a digit.
Emphasis mine.
A dictionary attack is a fast way to crack a password consisting of a single word. The conventional wisdom of how to thwart a dictionary attack is to replace letters with symbols and append a few more symbols to the end. Randall's comic is intended to establish that simply using more than one word will thwart a dictionary attack much more effectively.
His comic does this by calculating entropy. His estimates of "3 days" and "550 years" are the theoretical best time to crack the password, and already take into account that English words have lower entropy than their constituent characters. Actual attacks such as dictionary attacks are slower than these theoretical best estimates.
Re:xkcd (Score:4, Informative)
It's not only about having more entropy. As the top half of the comic suggest, Joe User who is new at managing passwords may have a hard time remembering "Tr0ub4dor!", and that may lead to less security if he resorts to guessable passwords or the dreaded Post-It.
Then comes the nasty issue of restrictions - "must be between 8 and 15 characters, with mixed case, at least one number and one symbol" (I kid you not). They're practically telling you to use 1-2 common words in l33tsp34k. There are ways around that: e.g., take the first two letters of your passphrase and "scramble" that in a compatible but consistent manner: "correcthorsebatterystaple" --> "C0h0b45t!". Don't try (too hard) to show the admin the error in his ways.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
This is also relevant ;-)
http://xkcd.com/538/ [xkcd.com]
Or use 1Password (Score:2)
Re: (Score:2)
KeyPass 2 plugs into Chrome quite nicely. There's also an android version, which is nice for when I'm not at a computer I control.
One small problem... (Score:5, Insightful)
The problem I see is the increasing number of sites (eg. Sony's online game support sites) who "for security reasons" block browsers from auto-completing password fields. Which IMO actually decreases security, it increases the number of times a keylogger could see my password and it makes it harder to use high-difficulty (and difficult to remember) passwords.
Re: (Score:2)
Re: (Score:2)
That's why I use lastpass - it ignores this setting. I tried hacking the chromium source to block it, but it was too much of a pita, especially since it gets updated every two weeks it seems. Plus, it is multi-browser...
Re: (Score:2)
You could always use an open source browser (Chromium, Firefox, whatever) and modify it to ignore the "do not automatically store data for this form" attribute in the HTML form tag.
Or you could write a browser plugin or other tool that is designed to strip that attribute.
Re: (Score:2)
I agree with the sentiment that preventing autocomplete is stupid behavior. I find it mildly offensive that the browser enforces this, without option to turn it off, since it is supposed to be acting on my behalf. "Fix it yourself" is generally not a very helpful answer. However, in this case, I eventually did fix it myself (after I read how).
There are bookmarklets floating around which will force autocomplete for a page, but you have to load the page, then hit the bookmarklet, and it's not (that I've se
Re: (Score:2)
Re: (Score:2)
There's a bookmarklet out there that removes this. Once Firefox has learned the password, it can keep filling out the field.
You can also use firebug to get around it.
You can also go into firefox source, unzip omni, and set _isAutocompleteDisabled to always return false in components/nsLoginManager.js then pack it up again.
Since updates to Firefox will clobber this, you might want to script resetting it, or else you might have to do it again every few months.
the world upon a silver..er chrome platter (Score:3)
Re: (Score:2)
I think they'll settle for a small ring. A minor one, the smallest of them all...
OpenID (Score:5, Informative)
So you can safely ignore the naysayers who claim OpenID is dead and there wasn't any takeup. It's huge, it just didn't take the form most people imagined.
Re: (Score:3)
Launchpad.net (Score:2)
Re: (Score:2)
Re: (Score:2)
Also, OpenID allows for more then just login -- it's extended for "profile exchange" and more. Ideal for Google, and all large companies, unlike https://browserid.org/ [browserid.org] or other schemes.
Re: (Score:2)
It's somewhat fruitless to try and hide from Google if you're a Gmail user.
I don't understand (Score:4, Insightful)
I just don't get it. How will this help? It's not that people can't generate random paswords (see, here's one: !wef112SFAWffx9). It's just that they can't be bothered to even try to remember such things. People choose "1234" because they don't want to make the effort to remember long, complicated passwords. So what does this tool by google accomplish?
Now, the article is not clear about it, but I think there's gonna be a chrome-embedded tool to manage all passwords. While this is cool, kde and gnome already do it by default in ubuntu (and I assume in other distros that use them). I don't know about windows, but there should be one or two around. If there aren't (or if you really like chrome and wish to grant it control over your passwords), I just don't see how having a explorer-specific tool to manage passwords is a particularly good idea. A OS-wide password manager is much better, like the aforementioned kde and gnome implementations, because it works with whatever you're using, not just your choice of internet navigation software.
Here's an idea: make a piece of software that doesn't even try to create great random passwords that are very difficult to crack with a computer. Instead, make it create simple passwords that are just a string of dictionary words, easy to remember by a person, hard to guess by another person and, since it's a string of words (and not just the one), hard to crack with a computer.
Re: (Score:3)
Chrome already has an embedded password manager. I'm with you that it's nicer to have something external to the browser but that plugs into it. But I prefer an external app/format to the OS as well since it's easier to use the password database on whatever platform I need. All that being said, for most Chrome users Google doesn't have much to do with the OS, and something straightforward to use is a step in the right direction for most people.
Re: (Score:2)
Now, the article is not clear about it, but I think there's gonna be a chrome-embedded tool to manage all passwords.
Like most (all?) browsers, Chrome already has an embedded password manager. And it's better in one way than the desktop-based PW manager, at least for people who use multiple devices, because Chrome Sync will synchronize your passwords to Chrome on all of your other devices. So you have your passwords everywhere.
UNIX/Linux password generation. (Score:2)
http://www.cyberciti.biz/faq/linux-random-password-generator/ [cyberciti.biz]
This might work nicely for those with access to a UNIX/Linux machine...
Re: (Score:3)
testi1@lindi2:~$ wget -q http://iki.fi/lindi/watchps.c
testi1@lindi2:~$ gcc -O2 -Wall -o watchps watchps.c
testi1@lindi2:~$ echo
helper got 6738, waiting for 6739
...
testi2@lindi2:~$ genpasswd
sh88xS5MKUAiGTvk
...
woke up
cmdline: "/bin/echo sh88xS5MKUAiGTvk "
helper got 6739, waiting for 6740
Re: (Score:2)
What's the random number generator? (Score:2)
Does Google Chrome have a cryptographic-grade random number generator with a good source of enthropy? Javascript math.random() is known to be predictable. [trusteer.com] Has someone with respected crypto qualifications checked over the code and signed off on it?
Re: (Score:2)
Does Google Chrome have a cryptographic-grade random number generator with a good source of enthropy? Javascript math.random() is known to be predictable. [trusteer.com] Has someone with respected crypto qualifications checked over the code and signed off on it?
Chrome already has facilities for generating random numbers for generation of SSL session keys (or inputs to generation of SSL session keys) and for generation of key pairs. I've never looked at the source, but we also haven't heard about any issues with Chrome in those contexts. I would expect that Chrome uses the OS-provided RNG (e.g. /dev/random) facilities where available.
Already Exists: http://passwordmaker.org/ (Score:5, Informative)
Already Exists: http://passwordmaker.org/ [passwordmaker.org]
Google Chrome: http://passwordmaker.org/Google_Chrome [passwordmaker.org]
Re: (Score:2)
It would be so great if this was integrated with Keepass: let it figure out a password when possible, and let me do my stuff when needed.
Keepass already has a pretty flexible automatic password generator btw.
Re: (Score:2)
This is not the same thing at all... The passwords made by the Google password generator are meant to be truly random, so no access to one website is related to another. On the other hand, all the password this application makes are generated from the exact same password plus domain name (which is obviously known), so if someone knows you use this service and guesses your master password, he has access to all the sites you go to. It is somewhat more secure than using the same password everywhere as long as
Not needed (Score:4, Insightful)
Re: (Score:2)
A lot of people don't bother to download keepass and use it. This is a solution for people who otherwise wouldn't bother, so in that respect it would improve security.
OFcourse, only where the breakins involved password hacking. Most of the time it involves downloading malware.
Re: (Score:2)
so integrate it - let Chrome generate passwords (using keepass' quite good generator) and store the resulting password (plus site info etc) into a keepass DB. Then you can also use the passwords in different browsers and back them up a lot easier.
Re: (Score:2)
Would love to use keepass, but it doesn't support all the platforms I'm running on. I'm stuck with Lastpass until that changes. I need support for Chrome on Windows/Linux/ChromeOS, and Chrome and the Android Browser on Android...
Re: (Score:2)
Anyone who cares about having different passwords for different sites will already be using a password database manager such as KeePass. Most password database managers also have random password generators. This is Google's solution in search of a problem.
Or Google's attempt to convince more people to use diverse passwords, to push this good security practice out to a broader user base.
Is it too late to go short on Lastpass? (Score:2)
Is it?
Won't use this (Score:2)
Re:What could go wrong? (Score:5, Insightful)
Re: (Score:3)
You mean the Do Not Track list which is practically unenforceable?
As best I can tell "Do Not Track" headers in the browser are there for legal purposes. If we ever get the chance to sue for unauthorized tracking having the browser explicitly inform the tracker's website that they should not be tracking this user will probably be helpful in court. It may even be that the threat of such ends up being enough to make trackers obey the header.
But either way, it seems like an attempt to leverage the legal system for us little guys rather than a straight-forward engineering me
Re: (Score:3)
And there is no Ironclad way to prevent tracking.
You would need to anonymize all webtraffic, remove features from browsers people actually use, make all browsers work exactly the same (which you can not or you will need to create a monopoly of one browser) and disobey the HTTP/1.1 RFC with things like the E-tag.
Re:What could go wrong? (Score:4, Interesting)
Right...they have even done studies where they found they can uniquely identify a PC with a high degree of certainty using only the data that is available as part of the HTTP headers. Sure...they do not know your name or anything, but who needs to know a name when they can simply see your behavior and advertise accordingly?
Re: (Score:2)
It would be easier to have the DNC tag and levy a $10,000 fine for each violation. If you want the government to leave a puddle like an excited poodle on it's way to it's now overflowing food dish in it's mad dash to help you. Craft the law so you get $1000 and they get $9000 PER violation.
I'd like lower taxes and bankrupt assholes.
Re: (Score:2)
As best I can tell "Do Not Track" headers in the browser are there for legal purposes.
Any idea how one proves in court that these headers have been actually sent in specific cases?
Re: (Score:3)
Re: (Score:3)
Ok, but how do you show that the setting was not enabled _after_ the indictment? Or is there no such requirement?
Re: (Score:2)
Re:What could go wrong? (Score:5, Informative)
Google is the only holdout on Do Not Track. Every other major browser vendor has adopted.
Really?
Perhaps you should have Googled it before shooting your mouth off...
Google Releases “Do Not Track” Extension for Chrome
Google is announcing that they have released a “Do Not Track” extension for Chrome called Keep My Opt-Outs that blocks advertisements that are based on browser history. It hasn’t been made mandatory by any governments yet, but it’s been clear that ever since the Wall Street Journal’s series on how advertisers track user information on the web that this was going to happen.
Already the Chrome team has been testing an experimental feature that allows you to block all new third party cookies from being set. These pieces of information can travel with you and record information about your habits on the web. They are also useful for saving other information such as preferences and login information, but the marketing opportunities that can be taken advantage of with cookies is enough to make some people want to turn them off.
This extension solves that, as Google believes this is the correct way to ward of ad tracking.
http://www.thechromesource.com/google-releases-do-not-track-extension-for-chrome/ [thechromesource.com]
Re:What could go wrong? (Score:4, Interesting)
released a “Do Not Track” extension for Chrome called Keep My Opt-Outs that blocks advertisements that are based on browser history.
So it blocks the advertisers people have 'opted-out' from? What about all the sneaky bastards that users a)don't know about or b)don't provide an opt-out option?
Google isn't necessarily Evil, but it has proven itself untrustworthy. They are the ones who benefit most from tracking, so I'm going to vote with my browser and email provider choices. I'm not bashing Google, but these days their actions have overshadowed their motto of Do No Evil.
Re:What could go wrong? (Score:5, Insightful)
Lets take your argument to its logical conclusion - somewhere inside of Google's secret evil HQ in the base of a volcano, Sergei and Larry are laughing maniacally, "Now we can login as everyone because we will know their passwords! MWAHAHAHA!" as they stroke their evil kittens with eyepatches.
Or realistically, that google would login as people and impersonate their accounts.
You can have my tinfoil hat, you need it more than me.
Re: (Score:3, Interesting)
Let's take this argument to it's realisic conclusion - Google Chrome password lockin. What easy access to you web site, you better stick to using Chrome or else look forward to pen and paper copying 20 random characters, including numbers, letters, capitalisation and special chars, with different passwords for each and every site you connect to, get one char wrong and your stuck. Some like banks will definitely not email you a replacement password so that you can immediately reconnect.
Easy solution go wi
Re: (Score:3, Insightful)
Right cause the only thing google lets us get back in the form of our data from their services is EVERYTHING.
Name 1 thing bit of data that you've given to Google that they don't allow you to download them other than your ANONYMOUS search history.
You can't call it lock in when they give you a unencrypted well documented XML file with your data in it, moron. Thats what they do for all of their web services, you think they won't make an export feature for Chrome?
They don't need lock in. Instead of doing 'Loc
Re: (Score:3, Interesting)
I can see there being some kind of lock-in, albeit not the one you are talking about.
Random password generation is useless on its own. I can't even remember 20 random alphanumeric characters and I have a good memory.
What is required when you do that is a password vault of some kind. Plenty of software available to do this for you. Chrome will already remember your passwords, but I can see them syncing that with your Google profile. They might already, I don't use Google for anything religiously.
That coul
Re:What could go wrong? (Score:4, Informative)
OpenID wasn't created by nor owned by google. It was created by LiveJournal and "run" by a bunch of different people/companies: yahoo, microsoft, symantec, paypal, facebook and so on. It has also been available for years before google jumped in. There are many ways to authenticate as well, not just single password logins.
Here is an official list of recommended providers: http://openid.net/get-an-openid/ [openid.net]
Re: (Score:2)
I like browserid, atleast when it gets out of the beta-stage (which it should in the coming months):
https://browserid.org/about [browserid.org]
http://identity.mozilla.com/post/7616727542/introducing-browserid-a-better-way-to-sign-in [mozilla.com]
It is a quick and easy way to verify you are the owner of an email-address and an open specification.
Then Firefox will get it in the browser-UI, here is an old mockup:
https://wiki.mozilla.org/images/4/4c/IdentityInTheBrowser.png [mozilla.org]
Firefox still has about 25% of the market, if those users get an eas
Re: (Score:2)
firstly, it would be a good thing for Chrome to generate passwords, but I'd like to see it store them in a keepass DB file instead of holding it Chrome itself or on Google's servers.
Secondly, OpenID means you don't have to use Google as a provider. Seriously, what is with the 'one password to rule them' bullshit. Use MyOpenID or MyId or Verisign [openid.net]. Or implement your own [openid.net] provider and use that, then you can be the big bad nasty sociopath and volunteer your own ass for Russian hookers.
Come on here and post, but
Re: (Score:2)
you do know you can use an openID vendor that you pay as the customer right? Your bank could even become a vendor. So choose what ever OpenID vendor you like.
Re: (Score:2)
OpenID doesn't solve the privacy problem that it allows you to easily track someone across sites. Without it, I can easily use a different username and password for every password. My browser already stores all of these, so login is pretty much a solved problem. No site can tell what my account is on another site (unless I'm stupid enough to use gravatar or similar). With OpenID, it is trivial to tie together two online identities.
A well-designed single sign on system would have an authentication ser
Notify customers of shipping problems (Score:2)
It should not be tied to something like an email address (at least on the site's side - that's fine on the authentication provider's side).
Say an online store lets you sign in using OpenID to track your order. Without an e-mail address, how is the site supposed to notify you that the order has shipped, or more importantly, that there is a problem that prevents the order from shipping?
Re: (Score:2)
By asking for your email address as well?
They're also going to have trouble shipping you what you ordered if you don't give them your shipping address too. I take it you also want that to be embedded into your openid as well?
People mistype their e-mail address (Score:2)
Re: (Score:2)
You don't make them enter it twice?
And what again what happens when they mistype their shipping address too?
Re: (Score:2)
You don't make them enter it twice?
Ctrl+C Ctrl+V and the error is pasted twice.
And what again what happens when they mistype their shipping address too?
For one thing, the postal service has proven competent at fixing that. For another, PayPal appears to do some processing on the shipping addresses of customers who pay with PayPal.
Re: (Score:2)
If they copy paste and make a typo then that's their tough luck. Surely that can't happen that often - both being stupid enough to copy-n-paste an obvious typo check and smart enough to know how to copy-n-paste...
Re: (Score:2)
nothing will solve your issues with privacy because HTTP headers can be used to uniquely identify your PC with a high enough certainty that even in a world of blurmany (Germany has crazy privacy laws), the advertisers can still track your behavior and know when you are on a site and advertise accordingly....that even works in a private session because it is based on the HTTP protocol.
Re: (Score:2)
Okay, say I have been using this feature on chrome for a while, and say the password is saved by chrome and it allows me to look it up. Now I want to switch to IE (for whatever reasons). Now for each of the websites I have to open chrome password manager and locate the right password, copy it and paste it in IE. This is labour intensive enough that, nobody would ever want to do it. That sounds like a lock-in to me (my definition of lock-in is the inability to easily switch to a competing service).
And about
Re: (Score:3)
Name 1 thing bit of data that you've given to Google that they don't allow you to download them other than your ANONYMOUS search history.
Just so that you know, google does not allow you download non-anonymous search history either. I am usually logged in, when I perform a seach on google. Neither does google allow you download the search results you have visited (it does not even allow you view them I believe). Google does not allow me to download the list of websites I have visited and Google had noticed that I had visited it. It does not allow me to download the timestamps and IPs of my logins. I can go on and on, but you get my point. Goo
Re: (Score:3)
I can't download the history, but i can view it all here: https://www.google.com/history/ [google.com]
Re: (Score:3)
I put mine in a text file and encrypt them with a PGP key that is not on my PC. That is my backup. I trust firefox well enough to let it store them but I don't trust them not to screw up and destroy them.
Re: (Score:2)
I'd like to see a standard password database storage format. Yes, there are ways to generate and and store passwords, but usually, it is pretty difficult (and prone to leaks) to transfer the entries between one password program to another, especially on different devices.
For example, the best password storage on the iPhone would be 1Password since it uses a PIN (10 mistries == wipe), as well as the passphrase. Android, last time I checked, the app had far last functionality. KeePass is as close to a stan
Re: (Score:2)
Undoing my mods...
KeePass is as close to a standard as one can get for multiplatform access, but good luck keeping all those in sync.
Combine it with Dropbox. I open my passwords on Linux, my Android phone, and Windows. I could also do the same when switching to an iPhone.
They all access the same database, all changes synced in seconds. Each package apart is not a standard, but the combination Dropbox/Keepass is rapidly becoming the default in my professional circles. And with Crashplan doing encrypted backups, i figure I'm pretty safe.
Re: (Score:2)
I'd like to see a standard password database storage format
The storage format isn't the problem, it's the API. The OS X keychain provides a key-value store where each entry has an ACL tied to a particular version of a program. If you modify a program binary, you must reauthorise it. If I enter a password in Safari, Opera can only access it if I explicitly grant Opera permission for that password. How the passwords are stored is of secondary importance - the important part is that no program - especially not a web browser, which downloads and runs untrusted code
Key continuity management in Keychain (Score:2)
The OS X keychain provides a key-value store where each entry has an ACL tied to a particular version of a program. If you modify a program binary, you must reauthorise it.
That's to keep viruses from infecting a program and gaining access to its key-value store. But a virus can't infect a signed program without invalidating the signature. I've read that Keychain ACLs transfer to future versions of the same program as long as both versions are provably by the same author, that is, they were signed with the same (self-signed) certificate.
Re: (Score:2)
It's been a long time since I read cypherpunks and I still feel I'm a noob at crypto. Smart cards do the encryption/decryption in such a way as to not reveal the key even to snoopers.
I want to secure my home/laptop system so that I can use a smartcard to log on with a pin pad built into the card or one I carry. I think this is something I can set up.
I'd like to be able to use a computer that may have compromised hardware to be able to connect to a PC I control and do my transactions using that. Again I'd li
Re:What could go wrong? (Score:5, Funny)
Let's take this argument to it's realisic conclusion - Google Chrome password lockin. What easy access to you web site, you better stick to using Chrome or else look forward to pen and paper copying 20 random characters, including numbers, letters, capitalisation and special chars, with different passwords for each and every site you connect to
Ctrl C
Ctrl V.
Re: (Score:2)
Re: (Score:2)
Shift-Insert
Re: (Score:2)
I've got some sort of strong password chrome plugin already, I use it for everything. I just don't bother to write down the passwords.
The chances that I'll lose the randomly generated password in the time between when the cookie expires, and when I actually need to use the site* again is about 90%. If I think I'll come back to the site, I'll email myself the password, and if it's just a throwaway account (is there a better single word term for this yet?) I'll just use the password recovery if by so
Re: (Score:2)
Keepass (Score:3)
A typical web site password of mine:
1jVzaVAy9Xhfoc_eok0V49ld-
My banking passwords are of course more controlled, with far more specialised systems enforcing password strength to exactly 6 digit numerical characters. Clearly date of birth is the state of the art in banking security.
Re: (Score:2)
And no, Chromium and Chrome are not the same thing.
I've got Chromium Browser installed on my Xubuntu laptop. What's the noticeable feature difference, apart from the built-in SWF player and PDF reader?
Re: (Score:2)
Lets take your argument to its logical conclusion - somewhere inside of Google's secret evil HQ in the base of a volcano, Sergei and Larry are laughing maniacally, "Now we can login as everyone because we will know their passwords! MWAHAHAHA!" as they stroke their evil kittens with eyepatches.
Or realistically, that google would login as people and impersonate their accounts.
You can have my tinfoil hat, you need it more than me.
meow... that eye patch tickles ya know
Re: (Score:2)
I was astonished when websites started asking for your login credentials for *other* websites in order to scrape your contact info.
The continued erosion of privacy is starting to look like the proverbial frog being boiled alive.
Google would love to have the Facebook and Linkedin social graphs. It seems credible that they would use your credentials to scrape your portion of the graph.
Of course they would put this in their next privacy policy, in suitably nice language, which would cause minor discomfort goi
Re:What could go wrong? (Score:5, Insightful)
Re: (Score:2)
I'll stick with Firefox and the PwdHash
I always wonder why W3C didn't build password hashing into the HTML specification. It would not be the perfect solution, I know, but still it could have been a major improvement in online security.
Digest authentication is part of HTTP (Score:2)
Re: (Score:2)
Sorry bonch, but I'll stick with PassKeeper 1 as it's trully cross platform. Another reason and the most important one, is that I don't feel that the browser should ever generate my pw's for me. What happens if someone figures a compromise for the browser and am able to steal all the pw's you've generated? I do agree on not trusting Google in this case and in fact that was the first thing I thought of. Is the actual PW generation being done in a secure way on my system or is it being done using Google's ser
Re: (Score:2)
My Bad for replying to myself
I do agree bonch and yes, the first question I had was just how does Google gauranty to me that the PW generation is being done in a secure way on my system and not theirs? The other issue is what happens when someone figures out a flaw in the PW generator and are then able to easily crack all of the PW's generated by everyone using this method? We've already seen it happen - Remember the Debian SSH key screwup?
As to trusting the browser, I really don't as far as retaining my pa
Re: (Score:2)
Hi, my name is Anonymous Coward and I'm the average Slashdot poster.
Slashdot Anonymous meeting (in unison) : Hi, Anonymous Coward.
Re: (Score:2)