Google Working On Password Generator For Chrome

Trailrunner7 writes "Google is in the process of developing a tool to help users generate strong passwords for the various and sundry Web sites for which they need to register and authenticate. The password-generator is meant to serve as an interim solution for users while Google and other companies continue to work on widespread deployment of the OpenID standard. The tool Google engineers are working on is a fairly simple one. For people who are using the Chrome browser, whenever a site presents them with a field that requires creating a password, Chrome will display a small key icon, letting the users know that they could allow Chrome to generate a password for them."

xkcd

[Zaldarr]

http://xkcd.com/936/ [xkcd.com] Randall has it all sorted. Just use a whole lotta entropy.

Re:

[Mashiki]

It works, and works well. My SSID login is 27 characters and I can remember it without a problem. My secondary password after I use my RSA token? Usually 3 tries before I remember because we have a password policy of upper/lower case mixed with alpha-numerics, which must be between 8 and 30 characters in length. We change these every 18 days.

Brain...hurts...especially for someone with very poor short and medium term memory problems. Of course it's an automatic disciplinary issue if you write any of th

Re:

[modmans2ndcoming]

The math is SOOOOOOOOOO wrong it isn't even funny.

The alpha cap and lower case letters gives you 52 bits....then you add the numbers.....that is 10 more to the total...then the special characters and punctuation (he used an &).. another 30.... so the total bits are 92.

so for 11 characters.....11*2^92 = 54469361728556732095561465856 possible combinations for the pass word length.

1000 guesses a second means it will take 863,606,064,950,480,912 years mean time to brute force that password. (50% chance of

Re:

[Rob the Bold]

The math is SOOOOOOOOOO wrong it isn't even funny.

The alpha cap and lower case letters gives you 52 bits....then you add the numbers.....that is 10 more to the total...then the special characters and punctuation (he used an &).. another 30.... so the total bits are 92.

so for 11 characters.....11*2^92 = 54469361728556732095561465856 possible combinations for the pass word length.

1000 guesses a second means it will take 863,606,064,950,480,912 years mean time to brute force that password. (50% chance of guessing the password before the end of the list of possibles)

increasing the guess rate by 25 orders of magnitude would weaken the password considerably, but it would still be pretty good at 863 years.

You are of course referring to the "math" following your initial statement, right? And it was sarcastic, right? I hope . . .

Re:xkcd

[Sigma 7]

Randall uses four words, not one. Even if you use a small word list of 5000 words (and TWL has much more words), that's 6.25 *10^14 combinations. It's still a few times stronger than a 8-character random alphanumeric which has ~2.81*10^14 combinations.

And if you go with the full TWL, you need at least 12 characters in the random alphanumberic to even be as strong as the 4-word passphrase.

It's only less secure in the sense that a similarly sized alphanumeric has more possible combinations - which is not being compared.

Re:

[mwvdlee]

...and that's assuming people will use english words, which is probably try only for native English speakers without a second language. A dictionary would roughly double in size (yet another bit of entropy) for each additional potential language.

Re:

[Jesus_666]

Plus neologisms, proper names and contractions. "john's nightly adventures in vaxholm", "beeb anchor cornflakes explosion" or "overdramatic grimdark etymology sideshow" are all unlikely to fall to simple dictionary attacks, although one could of course compile a dictionary that includes nicknames for TV channels, Swedish municipalities and internet slang. Perhaps not an entire additional bit but still slightly better.

Of course one should avoid common phrases as well. I'd expect "robots in disguise" to fa

Re:

[swillden]

But Munroe's concept is irrelevant.

Yes, it's certainly true that you can get significant entropy from a multi-word phrase (BTW, Munroe assumed a 2048-word dictionary), and that it will be easier to remember than comparable entropy from a random character string. But low-entropy passwords are only part of the problem, and the smaller part. The bigger part is password reuse. The majority of people use the same password for their slashdot account, their bank account and everything in between. Some more s

Re:xkcd

[Zarel]

Really, Slashdot? 4, Insightful for a comment that has no idea what it's talking about? All you need to do is read the Wikipedia article you link to:

Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), single words found in dictionaries or simple, easily-predicted variations on words, such as appending a digit.

Emphasis mine.

A dictionary attack is a fast way to crack a password consisting of a single word. The conventional wisdom of how to thwart a dictionary attack is to replace letters with symbols and append a few more symbols to the end. Randall's comic is intended to establish that simply using more than one word will thwart a dictionary attack much more effectively.

His comic does this by calculating entropy. His estimates of "3 days" and "550 years" are the theoretical best time to crack the password, and already take into account that English words have lower entropy than their constituent characters. Actual attacks such as dictionary attacks are slower than these theoretical best estimates.

Re:xkcd

[arielCo]

It's not only about having more entropy. As the top half of the comic suggest, Joe User who is new at managing passwords may have a hard time remembering "Tr0ub4dor!", and that may lead to less security if he resorts to guessable passwords or the dreaded Post-It.

Then comes the nasty issue of restrictions - "must be between 8 and 15 characters, with mixed case, at least one number and one symbol" (I kid you not). They're practically telling you to use 1-2 common words in l33tsp34k. There are ways around that: e.g., take the first two letters of your passphrase and "scramble" that in a compatible but consistent manner: "correcthorsebatterystaple" --> "C0h0b45t!". Don't try (too hard) to show the admin the error in his ways.

Re:

[arielCo]

Sorry, I meant the "two first letters of each word of your passphrase", but surely you already guess that. And no, I didn't call you Shirley ;)

Re:

[MisterMidi]

Ehm, 2^11 = 2048...

Re:

[Lennie]

This is also relevant ;-)

http://xkcd.com/538/ [xkcd.com]

Or use 1Password

[cmarkn]

Its plugin is not quite seamless, but it works smoothly enough with Safari and Firefox. They're working on Chrome and Opera plugins, but they aren't there yet.

Re:

[Intropy]

KeyPass 2 plugs into Chrome quite nicely. There's also an android version, which is nice for when I'm not at a computer I control.

One small problem...

[Todd Knarr]

The problem I see is the increasing number of sites (eg. Sony's online game support sites) who "for security reasons" block browsers from auto-completing password fields. Which IMO actually decreases security, it increases the number of times a keylogger could see my password and it makes it harder to use high-difficulty (and difficult to remember) passwords.

Re:

[TheRaven64]

This really bugs me too. If a site lets my browser store the password, then I store it in the keychain, where it is encrypted and protected by an ACL so nothing other than the browser can get at it. If a site doesn't let my browser store a password then I also store it in the keychain, but now I transfer it to the browser via the clipboard where any app can see it.

Re:

[Rich0]

That's why I use lastpass - it ignores this setting. I tried hacking the chromium source to block it, but it was too much of a pita, especially since it gets updated every two weeks it seems. Plus, it is multi-browser...

Re:

[jonwil]

You could always use an open source browser (Chromium, Firefox, whatever) and modify it to ignore the "do not automatically store data for this form" attribute in the HTML form tag.
Or you could write a browser plugin or other tool that is designed to strip that attribute.

Re:

[spidr_mnky]

I agree with the sentiment that preventing autocomplete is stupid behavior. I find it mildly offensive that the browser enforces this, without option to turn it off, since it is supposed to be acting on my behalf. "Fix it yourself" is generally not a very helpful answer. However, in this case, I eventually did fix it myself (after I read how).

There are bookmarklets floating around which will force autocomplete for a page, but you have to load the page, then hit the bookmarklet, and it's not (that I've se

Re:

[tepples]

The login form on Chase Bank's web site has the same autocomplete="off" attribute.

Re:

[Derek Pomery]

There's a bookmarklet out there that removes this. Once Firefox has learned the password, it can keep filling out the field.
You can also use firebug to get around it.

You can also go into firefox source, unzip omni, and set _isAutocompleteDisabled to always return false in components/nsLoginManager.js then pack it up again.
Since updates to Firefox will clobber this, you might want to script resetting it, or else you might have to do it again every few months.

the world upon a silver..er chrome platter

[smoothnorman]

"What do you want Google? The Key of Orthanc, or perhaps the keys of Barad-dûr itself, along with the crowns of the seven kings, and the rods of the five wizards?"

Re:

[St.Creed]

I think they'll settle for a small ring. A minor one, the smallest of them all...

OpenID

[IGnatius T Foobar]

The interesting thing about OpenID is that the vast majority of people who use it, don't even know that they're using it. When I added support for OpenID 2.0 to my website, I found that the vast majority of takeup was from people who pushed the "Log in with Google" button. There's nothing special about that button, it just automatically fills in the known OpenID for Google. There are buttons for AOL/AIM and Yahoo too, as well as the "enter your own openid" of course, but the vast majority of people who use it, are going with Google.

So you can safely ignore the naysayers who claim OpenID is dead and there wasn't any takeup. It's huge, it just didn't take the form most people imagined.

Re:

[TheRaven64]

I'm sure Google loves OpenID. Now, not only do they get to track IPs and cookies from the various sites that use Google Ads or Analytics, they get to correlate multiple online identities on unrelated sites and build a detailed profile about a person. OpenID, sadly, isn't dead, but that doesn't mean it isn't a bloody stupid idea.

Launchpad.net

[tepples]

That's why I use my Ubuntu account [launchpad.net] instead of my Google account when I want to log in somewhere with OpenID. Is Canonical likely to track me and do evil things with the information?

Re:

[TheRaven64]

Probably not, but now two unrelated sites can still cooperate to identify you between them. If you log in anywhere that uses your OpenID address as a public identifier then so can any crawlers. As I said in another post, a well-designed version of OpenID would have the authentication server provide no more assurance than that the same person attempting to log in twice was the same person. It would not provide any information that could tie this person to another account on an unrelated system.

Re:

[mounthood]

Also, OpenID allows for more then just login -- it's extended for "profile exchange" and more. Ideal for Google, and all large companies, unlike https://browserid.org/ [browserid.org] or other schemes.

Re:

[Dan541]

It's somewhat fruitless to try and hide from Google if you're a Gmail user.

I don't understand

[Superdarion]

I just don't get it. How will this help? It's not that people can't generate random paswords (see, here's one: !wef112SFAWffx9). It's just that they can't be bothered to even try to remember such things. People choose "1234" because they don't want to make the effort to remember long, complicated passwords. So what does this tool by google accomplish?

Now, the article is not clear about it, but I think there's gonna be a chrome-embedded tool to manage all passwords. While this is cool, kde and gnome already do it by default in ubuntu (and I assume in other distros that use them). I don't know about windows, but there should be one or two around. If there aren't (or if you really like chrome and wish to grant it control over your passwords), I just don't see how having a explorer-specific tool to manage passwords is a particularly good idea. A OS-wide password manager is much better, like the aforementioned kde and gnome implementations, because it works with whatever you're using, not just your choice of internet navigation software.

Here's an idea: make a piece of software that doesn't even try to create great random passwords that are very difficult to crack with a computer. Instead, make it create simple passwords that are just a string of dictionary words, easy to remember by a person, hard to guess by another person and, since it's a string of words (and not just the one), hard to crack with a computer.

Re:

[Intropy]

Chrome already has an embedded password manager. I'm with you that it's nicer to have something external to the browser but that plugs into it. But I prefer an external app/format to the OS as well since it's easier to use the password database on whatever platform I need. All that being said, for most Chrome users Google doesn't have much to do with the OS, and something straightforward to use is a step in the right direction for most people.

Re:

[swillden]

Now, the article is not clear about it, but I think there's gonna be a chrome-embedded tool to manage all passwords.

Like most (all?) browsers, Chrome already has an embedded password manager. And it's better in one way than the desktop-based PW manager, at least for people who use multiple devices, because Chrome Sync will synchronize your passwords to Chrome on all of your other devices. So you have your passwords everywhere.

UNIX/Linux password generation.

[bejiitas_wrath]

http://www.cyberciti.biz/faq/linux-random-password-generator/ [cyberciti.biz]

This might work nicely for those with access to a UNIX/Linux machine...

Re:

[lindi]

Unfortunately that does not work nicely. On a multiuser Linux system everyone can see your password by looking at the process list. Here's a proof of concept:

testi1@lindi2:~$ wget -q http://iki.fi/lindi/watchps.c
testi1@lindi2:~$ gcc -O2 -Wall -o watchps watchps.c
testi1@lindi2:~$ echo /lib/x86_64-linux-gnu | ./watchps
helper got 6738, waiting for 6739

...

testi2@lindi2:~$ genpasswd
sh88xS5MKUAiGTvk

...

woke up
cmdline: "/bin/echo sh88xS5MKUAiGTvk "
helper got 6739, waiting for 6740

Re:

[Robert Zenz]

Or you could use mkpasswd.

What's the random number generator?

[Animats]

Does Google Chrome have a cryptographic-grade random number generator with a good source of enthropy? Javascript math.random() is known to be predictable. [trusteer.com] Has someone with respected crypto qualifications checked over the code and signed off on it?

Re:

[swillden]

Does Google Chrome have a cryptographic-grade random number generator with a good source of enthropy? Javascript math.random() is known to be predictable. [trusteer.com] Has someone with respected crypto qualifications checked over the code and signed off on it?

Chrome already has facilities for generating random numbers for generation of SSL session keys (or inputs to generation of SSL session keys) and for generation of key pairs. I've never looked at the source, but we also haven't heard about any issues with Chrome in those contexts. I would expect that Chrome uses the OS-provided RNG (e.g. /dev/random) facilities where available.

Already Exists: http://passwordmaker.org/

[JakFrost]

Already Exists: http://passwordmaker.org/ [passwordmaker.org]
Google Chrome: http://passwordmaker.org/Google_Chrome [passwordmaker.org]

The Problem

If you're like most people, you have a few passwords that you use over and over again on many different websites. You know this isn't secure, yet you do it anyway. Why? Because it's difficult to remember a unique password for each and every web site that requires one.
Existing Solutions

Maybe you do use unique passwords, and get around the problem of remembering them by storing them in a spreadsheet or other file. Maybe you even use one of the many password managers that are available. But now you've centralized your passwords and access to them becomes difficult while at work, a friend's computer, or a public internet terminal. You can't get to your passwords without carrying them around or publishing them on the internet. Some people even carry a USB keychain with their passwords wherever they go. How inconvenient. And publishing them on the internet? Yikes! We need not even mention the security risks inherent with that solution. Even if you trust the company storing the passwords, you can be sure every hacker in the world is drooling over the prospect of accessing their database (Like the LastPass break in of May, 2011 LastPass Announcement).

Our Solution

PasswordMaker solves all of these issues. It is a small, lightweight, free, open-source tool for Internet Explorer, Firefox, Google Chrome, iPhone, Opera, PHP, Windows, OS/X, Linux, Flock, Yahoo! Widgets, Android, Python, and many other platforms & systems. It creates unique, secure passwords that are very easy for you to retrieve but no one else. Nothing is stored anywhere, anytime, so there's nothing to be hacked, lost, or stolen. PasswordMaker has been around since about 2003 and so is a mature, stable, popular solution.
How It Works

Warning - technical jargon in this section!

You provide PasswordMaker two pieces of information: a "master password" -- that one, single password you like -- and the URL of the website requiring a password. Through the magic of one-way hash algorithms, PasswordMaker calculates a message digest, also known as a digital fingerprint, which can be used as your password for the website. Although one-way hash algorithms have a number of interesting characteristics, the one capitalized by PasswordMaker is that the resulting fingerprint (password) does "not reveal anything about the input that was used to generate it." 1. In other words, if someone has one or more of your generated passwords, it is computationally infeasible for him to derive your master password or to calculate your other passwords. Computationally infeasible means even computers like this won't help!

What About Portability?

For times when you must use one of the rare platforms to which PasswordMaker hasn't been ported, or are using a system where you can't install any software, there's an online version which mimics the extension and works in all web browsers new and old. No downloads or installations are required.

Re:

[St.Creed]

It would be so great if this was integrated with Keepass: let it figure out a password when possible, and let me do my stuff when needed.

Keepass already has a pretty flexible automatic password generator btw.

Re:

[Chryana]

This is not the same thing at all... The passwords made by the Google password generator are meant to be truly random, so no access to one website is related to another. On the other hand, all the password this application makes are generated from the exact same password plus domain name (which is obviously known), so if someone knows you use this service and guesses your master password, he has access to all the sites you go to. It is somewhat more secure than using the same password everywhere as long as

Not needed

[scdeimos]

Anyone who cares about having different passwords for different sites will already be using a password database manager such as KeePass. Most password database managers also have random password generators. This is Google's solution in search of a problem.

Re:

[St.Creed]

A lot of people don't bother to download keepass and use it. This is a solution for people who otherwise wouldn't bother, so in that respect it would improve security.

OFcourse, only where the breakins involved password hacking. Most of the time it involves downloading malware.

Re:

[gbjbaanb]

so integrate it - let Chrome generate passwords (using keepass' quite good generator) and store the resulting password (plus site info etc) into a keepass DB. Then you can also use the passwords in different browsers and back them up a lot easier.

Re:

[Rich0]

Would love to use keepass, but it doesn't support all the platforms I'm running on. I'm stuck with Lastpass until that changes. I need support for Chrome on Windows/Linux/ChromeOS, and Chrome and the Android Browser on Android...

Re:

[swillden]

Anyone who cares about having different passwords for different sites will already be using a password database manager such as KeePass. Most password database managers also have random password generators. This is Google's solution in search of a problem.

Or Google's attempt to convince more people to use diverse passwords, to push this good security practice out to a broader user base.

Is it too late to go short on Lastpass?

[mark_reh]

Is it?

Won't use this

[equex]

Great, now hackers has a single point of attack to lift passwords. Imagine hooking a function call to the generation plugin which sends every password and username back to the attacker....

Re:What could go wrong?

[Aerorae]

You mean the Do Not Track list which is practically unenforceable? The one where the advertisers "do the right thing" and honor the users' request not to track them? Such an IRONCLAD defense against predatory advertisers should be the gold standard, shouldn't it?

Re:

[Jah-Wren Ryel]

You mean the Do Not Track list which is practically unenforceable?

As best I can tell "Do Not Track" headers in the browser are there for legal purposes. If we ever get the chance to sue for unauthorized tracking having the browser explicitly inform the tracker's website that they should not be tracking this user will probably be helpful in court. It may even be that the threat of such ends up being enough to make trackers obey the header.

But either way, it seems like an attempt to leverage the legal system for us little guys rather than a straight-forward engineering me

Re:

[Lennie]

And there is no Ironclad way to prevent tracking.

You would need to anonymize all webtraffic, remove features from browsers people actually use, make all browsers work exactly the same (which you can not or you will need to create a monopoly of one browser) and disobey the HTTP/1.1 RFC with things like the E-tag.

Re:What could go wrong?

[modmans2ndcoming]

Right...they have even done studies where they found they can uniquely identify a PC with a high degree of certainty using only the data that is available as part of the HTTP headers. Sure...they do not know your name or anything, but who needs to know a name when they can simply see your behavior and advertise accordingly?

Re:

[mrmeval]

It would be easier to have the DNC tag and levy a $10,000 fine for each violation. If you want the government to leave a puddle like an excited poodle on it's way to it's now overflowing food dish in it's mad dash to help you. Craft the law so you get $1000 and they get $9000 PER violation.

I'd like lower taxes and bankrupt assholes.

Re:

[StripedCow]

As best I can tell "Do Not Track" headers in the browser are there for legal purposes.

Any idea how one proves in court that these headers have been actually sent in specific cases?

Re:

[TheRaven64]

In a civil suit, the burden of evidence is 'the balance of probability'. If you can show that your browser sends the header if a particular setting is enabled and that you have enabled that setting, then the other party would have to show that it was not sent in a specific case, or provide some counter evidence. In a criminal case, the standard is 'beyond reasonable doubt', so they would just have to show that it was possible that it was not sent.

Re:

[StripedCow]

Ok, but how do you show that the setting was not enabled _after_ the indictment? Or is there no such requirement?

Re:

[TheRaven64]

As I said, the requirement is 'balance of probability'. You make the claim and provide evidence, the other side has to show that it is improbable. It's up to the judge or jury do then weigh the evidence and see which is more likely...

Re:What could go wrong?

[ozmanjusri]

Google is the only holdout on Do Not Track. Every other major browser vendor has adopted.

Really?

Perhaps you should have Googled it before shooting your mouth off...

Google Releases “Do Not Track” Extension for Chrome
Google is announcing that they have released a “Do Not Track” extension for Chrome called Keep My Opt-Outs that blocks advertisements that are based on browser history. It hasn’t been made mandatory by any governments yet, but it’s been clear that ever since the Wall Street Journal’s series on how advertisers track user information on the web that this was going to happen.
Already the Chrome team has been testing an experimental feature that allows you to block all new third party cookies from being set. These pieces of information can travel with you and record information about your habits on the web. They are also useful for saving other information such as preferences and login information, but the marketing opportunities that can be taken advantage of with cookies is enough to make some people want to turn them off.
This extension solves that, as Google believes this is the correct way to ward of ad tracking.

http://www.thechromesource.com/google-releases-do-not-track-extension-for-chrome/ [thechromesource.com]

Re:What could go wrong?

[WrongSizeGlass]

Just an extension? Not core functionality? Meh.

released a “Do Not Track” extension for Chrome called Keep My Opt-Outs that blocks advertisements that are based on browser history.

So it blocks the advertisers people have 'opted-out' from? What about all the sneaky bastards that users a)don't know about or b)don't provide an opt-out option?

Google isn't necessarily Evil, but it has proven itself untrustworthy. They are the ones who benefit most from tracking, so I'm going to vote with my browser and email provider choices. I'm not bashing Google, but these days their actions have overshadowed their motto of Do No Evil.

Re:What could go wrong?

[liquidweaver]

Lets take your argument to its logical conclusion - somewhere inside of Google's secret evil HQ in the base of a volcano, Sergei and Larry are laughing maniacally, "Now we can login as everyone because we will know their passwords! MWAHAHAHA!" as they stroke their evil kittens with eyepatches.

Or realistically, that google would login as people and impersonate their accounts.

You can have my tinfoil hat, you need it more than me.

Re:

[rtb61]

Let's take this argument to it's realisic conclusion - Google Chrome password lockin. What easy access to you web site, you better stick to using Chrome or else look forward to pen and paper copying 20 random characters, including numbers, letters, capitalisation and special chars, with different passwords for each and every site you connect to, get one char wrong and your stuck. Some like banks will definitely not email you a replacement password so that you can immediately reconnect.

Easy solution go wi

Re:

[BitZtream]

Right cause the only thing google lets us get back in the form of our data from their services is EVERYTHING.

Name 1 thing bit of data that you've given to Google that they don't allow you to download them other than your ANONYMOUS search history.

You can't call it lock in when they give you a unencrypted well documented XML file with your data in it, moron. Thats what they do for all of their web services, you think they won't make an export feature for Chrome?

They don't need lock in. Instead of doing 'Loc

Re:

[EdIII]

I can see there being some kind of lock-in, albeit not the one you are talking about.

Random password generation is useless on its own. I can't even remember 20 random alphanumeric characters and I have a good memory.

What is required when you do that is a password vault of some kind. Plenty of software available to do this for you. Chrome will already remember your passwords, but I can see them syncing that with your Google profile. They might already, I don't use Google for anything religiously.

That coul

Re:What could go wrong?

[tibman]

OpenID wasn't created by nor owned by google. It was created by LiveJournal and "run" by a bunch of different people/companies: yahoo, microsoft, symantec, paypal, facebook and so on. It has also been available for years before google jumped in. There are many ways to authenticate as well, not just single password logins.

Here is an official list of recommended providers: http://openid.net/get-an-openid/ [openid.net]

Re:

[Lennie]

I like browserid, atleast when it gets out of the beta-stage (which it should in the coming months):

https://browserid.org/about [browserid.org]
http://identity.mozilla.com/post/7616727542/introducing-browserid-a-better-way-to-sign-in [mozilla.com]

It is a quick and easy way to verify you are the owner of an email-address and an open specification.

Then Firefox will get it in the browser-UI, here is an old mockup:

https://wiki.mozilla.org/images/4/4c/IdentityInTheBrowser.png [mozilla.org]

Firefox still has about 25% of the market, if those users get an eas

Re:

[gbjbaanb]

firstly, it would be a good thing for Chrome to generate passwords, but I'd like to see it store them in a keepass DB file instead of holding it Chrome itself or on Google's servers.

Secondly, OpenID means you don't have to use Google as a provider. Seriously, what is with the 'one password to rule them' bullshit. Use MyOpenID or MyId or Verisign [openid.net]. Or implement your own [openid.net] provider and use that, then you can be the big bad nasty sociopath and volunteer your own ass for Russian hookers.

Come on here and post, but

Re:

[modmans2ndcoming]

you do know you can use an openID vendor that you pay as the customer right? Your bank could even become a vendor. So choose what ever OpenID vendor you like.

Re:

[TheRaven64]

OpenID doesn't solve the privacy problem that it allows you to easily track someone across sites. Without it, I can easily use a different username and password for every password. My browser already stores all of these, so login is pretty much a solved problem. No site can tell what my account is on another site (unless I'm stupid enough to use gravatar or similar). With OpenID, it is trivial to tie together two online identities.

A well-designed single sign on system would have an authentication ser

Notify customers of shipping problems

[tepples]

It should not be tied to something like an email address (at least on the site's side - that's fine on the authentication provider's side).

Say an online store lets you sign in using OpenID to track your order. Without an e-mail address, how is the site supposed to notify you that the order has shipped, or more importantly, that there is a problem that prevents the order from shipping?

Re:

[nedlohs]

By asking for your email address as well?

They're also going to have trouble shipping you what you ordered if you don't give them your shipping address too. I take it you also want that to be embedded into your openid as well?

People mistype their e-mail address

[tepples]

I am the web developer and server administrator for such an online shop, and I get a lot of shipping notification e-mails bounced as undeliverable because people mistype their address. It has got to the point where Comcast has started to assume our legitimate shipping notification e-mails are spam. I imagine that if someone has successfully logged into OpenID, that's a stronger guarantee that the address can actually receive mail.

Re:

[nedlohs]

You don't make them enter it twice?

And what again what happens when they mistype their shipping address too?

Re:

[tepples]

You don't make them enter it twice?

Ctrl+C Ctrl+V and the error is pasted twice.

And what again what happens when they mistype their shipping address too?

For one thing, the postal service has proven competent at fixing that. For another, PayPal appears to do some processing on the shipping addresses of customers who pay with PayPal.

Re:

[nedlohs]

If they copy paste and make a typo then that's their tough luck. Surely that can't happen that often - both being stupid enough to copy-n-paste an obvious typo check and smart enough to know how to copy-n-paste...

Re:

[modmans2ndcoming]

nothing will solve your issues with privacy because HTTP headers can be used to uniquely identify your PC with a high enough certainty that even in a world of blurmany (Germany has crazy privacy laws), the advertisers can still track your behavior and know when you are on a site and advertise accordingly....that even works in a private session because it is based on the HTTP protocol.

Re:

[ThatsMyNick]

Okay, say I have been using this feature on chrome for a while, and say the password is saved by chrome and it allows me to look it up. Now I want to switch to IE (for whatever reasons). Now for each of the websites I have to open chrome password manager and locate the right password, copy it and paste it in IE. This is labour intensive enough that, nobody would ever want to do it. That sounds like a lock-in to me (my definition of lock-in is the inability to easily switch to a competing service).

And about

Re:

[ThatsMyNick]

Name 1 thing bit of data that you've given to Google that they don't allow you to download them other than your ANONYMOUS search history.

Just so that you know, google does not allow you download non-anonymous search history either. I am usually logged in, when I perform a seach on google. Neither does google allow you download the search results you have visited (it does not even allow you view them I believe). Google does not allow me to download the list of websites I have visited and Google had noticed that I had visited it. It does not allow me to download the timestamps and IPs of my logins. I can go on and on, but you get my point. Goo

Re:

[tibman]

I can't download the history, but i can view it all here: https://www.google.com/history/ [google.com]

Re:

[mrmeval]

I put mine in a text file and encrypt them with a PGP key that is not on my PC. That is my backup. I trust firefox well enough to let it store them but I don't trust them not to screw up and destroy them.

Re:

[mlts]

I'd like to see a standard password database storage format. Yes, there are ways to generate and and store passwords, but usually, it is pretty difficult (and prone to leaks) to transfer the entries between one password program to another, especially on different devices.

For example, the best password storage on the iPhone would be 1Password since it uses a PIN (10 mistries == wipe), as well as the passphrase. Android, last time I checked, the app had far last functionality. KeePass is as close to a stan

Re:

[St.Creed]

Undoing my mods...

KeePass is as close to a standard as one can get for multiplatform access, but good luck keeping all those in sync.

Combine it with Dropbox. I open my passwords on Linux, my Android phone, and Windows. I could also do the same when switching to an iPhone.

They all access the same database, all changes synced in seconds. Each package apart is not a standard, but the combination Dropbox/Keepass is rapidly becoming the default in my professional circles. And with Crashplan doing encrypted backups, i figure I'm pretty safe.

Re:

[TheRaven64]

I'd like to see a standard password database storage format

The storage format isn't the problem, it's the API. The OS X keychain provides a key-value store where each entry has an ACL tied to a particular version of a program. If you modify a program binary, you must reauthorise it. If I enter a password in Safari, Opera can only access it if I explicitly grant Opera permission for that password. How the passwords are stored is of secondary importance - the important part is that no program - especially not a web browser, which downloads and runs untrusted code

Key continuity management in Keychain

[tepples]

The OS X keychain provides a key-value store where each entry has an ACL tied to a particular version of a program. If you modify a program binary, you must reauthorise it.

That's to keep viruses from infecting a program and gaining access to its key-value store. But a virus can't infect a signed program without invalidating the signature. I've read that Keychain ACLs transfer to future versions of the same program as long as both versions are provably by the same author, that is, they were signed with the same (self-signed) certificate.

Re:

[mrmeval]

It's been a long time since I read cypherpunks and I still feel I'm a noob at crypto. Smart cards do the encryption/decryption in such a way as to not reveal the key even to snoopers.

I want to secure my home/laptop system so that I can use a smartcard to log on with a pin pad built into the card or one I carry. I think this is something I can set up.

I'd like to be able to use a computer that may have compromised hardware to be able to connect to a PC I control and do my transactions using that. Again I'd li

Re:What could go wrong?

[ozmanjusri]

Let's take this argument to it's realisic conclusion - Google Chrome password lockin. What easy access to you web site, you better stick to using Chrome or else look forward to pen and paper copying 20 random characters, including numbers, letters, capitalisation and special chars, with different passwords for each and every site you connect to

Ctrl C
Ctrl V.

Re:

[flyingfsck]

Higlight Middle click ;)

Re:

[Shoe Puppet]

Shift-Insert

Re:

[Hadlock]

I've got some sort of strong password chrome plugin already, I use it for everything. I just don't bother to write down the passwords.

The chances that I'll lose the randomly generated password in the time between when the cookie expires, and when I actually need to use the site* again is about 90%. If I think I'll come back to the site, I'll email myself the password, and if it's just a throwaway account (is there a better single word term for this yet?) I'll just use the password recovery if by so

Re:

[TheRaven64]

I'm pretty sure that Chrome on OS X uses the Keychain, so you can use the generated passwords from any other browser that does (i.e. Safari or Opera - I think FireFox can with an extension, but it defaults to reinventing the wheel). The Keychain can also generate passwords and tell you the strength of passwords, but for some reason Apple has not exposed this functionality in the browser.

Keepass

[Colin Smith]

A typical web site password of mine:

1jVzaVAy9Xhfoc_eok0V49ld-

My banking passwords are of course more controlled, with far more specialised systems enforcing password strength to exactly 6 digit numerical characters. Clearly date of birth is the state of the art in banking security.

Re:

[tepples]

And no, Chromium and Chrome are not the same thing.

I've got Chromium Browser installed on my Xubuntu laptop. What's the noticeable feature difference, apart from the built-in SWF player and PDF reader?

Re:

[Enter the Shoggoth]

Lets take your argument to its logical conclusion - somewhere inside of Google's secret evil HQ in the base of a volcano, Sergei and Larry are laughing maniacally, "Now we can login as everyone because we will know their passwords! MWAHAHAHA!" as they stroke their evil kittens with eyepatches.

Or realistically, that google would login as people and impersonate their accounts.

You can have my tinfoil hat, you need it more than me.

meow... that eye patch tickles ya know

Re:

[crucini]

I was astonished when websites started asking for your login credentials for *other* websites in order to scrape your contact info.

The continued erosion of privacy is starting to look like the proverbial frog being boiled alive.

Google would love to have the Facebook and Linkedin social graphs. It seems credible that they would use your credentials to scrape your portion of the graph.

Of course they would put this in their next privacy policy, in suitably nice language, which would cause minor discomfort goi

Re:What could go wrong?

[MisterMidi]

What's different from trusting the browser to store your passwords? All major browsers have been doing this for years. It's really not much different. If they wanted your passwords, they'd already have them (with or without storage.) This is about encouraging people to use different passwords for different sites. Yes, it is a security risk to trust your browser with your passwords. But I think using the same password for every site is a much bigger risk.

Re:

[StripedCow]

I'll stick with Firefox and the PwdHash

I always wonder why W3C didn't build password hashing into the HTML specification. It would not be the perfect solution, I know, but still it could have been a major improvement in online security.

Digest authentication is part of HTTP

[tepples]

Digest authentication is part of HTTP [wikipedia.org].

Re:

[fast turtle]

Sorry bonch, but I'll stick with PassKeeper 1 as it's trully cross platform. Another reason and the most important one, is that I don't feel that the browser should ever generate my pw's for me. What happens if someone figures a compromise for the browser and am able to steal all the pw's you've generated? I do agree on not trusting Google in this case and in fact that was the first thing I thought of. Is the actual PW generation being done in a secure way on my system or is it being done using Google's ser

Re:

[fast turtle]

My Bad for replying to myself

I do agree bonch and yes, the first question I had was just how does Google gauranty to me that the PW generation is being done in a secure way on my system and not theirs? The other issue is what happens when someone figures out a flaw in the PW generator and are then able to easily crack all of the PW's generated by everyone using this method? We've already seen it happen - Remember the Debian SSH key screwup?

As to trusting the browser, I really don't as far as retaining my pa

Re:

[WrongSizeGlass]

Hi, my name is Anonymous Coward and I'm the average Slashdot poster.

Slashdot Anonymous meeting (in unison) : Hi, Anonymous Coward.

Re:

[zill]

/dev/random may be random, but it's not cryptographically secure. You would be better off using a dedicated password generator (eg. pwgen or apg).