Google Working On Password Generator For Chrome

Trailrunner7 writes "Google is in the process of developing a tool to help users generate strong passwords for the various and sundry Web sites for which they need to register and authenticate. The password-generator is meant to serve as an interim solution for users while Google and other companies continue to work on widespread deployment of the OpenID standard. The tool Google engineers are working on is a fairly simple one. For people who are using the Chrome browser, whenever a site presents them with a field that requires creating a password, Chrome will display a small key icon, letting the users know that they could allow Chrome to generate a password for them."

xkcd

[Zaldarr]

http://xkcd.com/936/ [xkcd.com] Randall has it all sorted. Just use a whole lotta entropy.

One small problem...

[Todd Knarr]

The problem I see is the increasing number of sites (eg. Sony's online game support sites) who "for security reasons" block browsers from auto-completing password fields. Which IMO actually decreases security, it increases the number of times a keylogger could see my password and it makes it harder to use high-difficulty (and difficult to remember) passwords.

Re:What could go wrong?

[Aerorae]

You mean the Do Not Track list which is practically unenforceable? The one where the advertisers "do the right thing" and honor the users' request not to track them? Such an IRONCLAD defense against predatory advertisers should be the gold standard, shouldn't it?

Re:xkcd

[Anonymous Coward]

This is one case where Randall got it completely wrong. His example will fail rather quickly to a dictionary attack [wikipedia.org], and as such, his estimates of entropy are way off.

Re:What could go wrong?

[liquidweaver]

Lets take your argument to its logical conclusion - somewhere inside of Google's secret evil HQ in the base of a volcano, Sergei and Larry are laughing maniacally, "Now we can login as everyone because we will know their passwords! MWAHAHAHA!" as they stroke their evil kittens with eyepatches.

Or realistically, that google would login as people and impersonate their accounts.

You can have my tinfoil hat, you need it more than me.

I don't understand

[Superdarion]

I just don't get it. How will this help? It's not that people can't generate random paswords (see, here's one: !wef112SFAWffx9). It's just that they can't be bothered to even try to remember such things. People choose "1234" because they don't want to make the effort to remember long, complicated passwords. So what does this tool by google accomplish?

Now, the article is not clear about it, but I think there's gonna be a chrome-embedded tool to manage all passwords. While this is cool, kde and gnome already do it by default in ubuntu (and I assume in other distros that use them). I don't know about windows, but there should be one or two around. If there aren't (or if you really like chrome and wish to grant it control over your passwords), I just don't see how having a explorer-specific tool to manage passwords is a particularly good idea. A OS-wide password manager is much better, like the aforementioned kde and gnome implementations, because it works with whatever you're using, not just your choice of internet navigation software.

Here's an idea: make a piece of software that doesn't even try to create great random passwords that are very difficult to crack with a computer. Instead, make it create simple passwords that are just a string of dictionary words, easy to remember by a person, hard to guess by another person and, since it's a string of words (and not just the one), hard to crack with a computer.

Re:What could go wrong?

[BitZtream]

Right cause the only thing google lets us get back in the form of our data from their services is EVERYTHING.

Name 1 thing bit of data that you've given to Google that they don't allow you to download them other than your ANONYMOUS search history.

You can't call it lock in when they give you a unencrypted well documented XML file with your data in it, moron. Thats what they do for all of their web services, you think they won't make an export feature for Chrome?

They don't need lock in. Instead of doing 'Lock In' they do 'Better than the competition' which is far more effective at retaining customers. You should look into it some time.

Of course, this new feature in order to be useful for lock in would have to diverge from the current feature of chrome that lets you look up previously stored passwords already.

Do you actually have any idea at all who or what you're talking about?

Re:xkcd

[Sigma 7]

Randall uses four words, not one. Even if you use a small word list of 5000 words (and TWL has much more words), that's 6.25 *10^14 combinations. It's still a few times stronger than a 8-character random alphanumeric which has ~2.81*10^14 combinations.

And if you go with the full TWL, you need at least 12 characters in the random alphanumberic to even be as strong as the 4-word passphrase.

It's only less secure in the sense that a similarly sized alphanumeric has more possible combinations - which is not being compared.

Re:What could go wrong?

[MisterMidi]

What's different from trusting the browser to store your passwords? All major browsers have been doing this for years. It's really not much different. If they wanted your passwords, they'd already have them (with or without storage.) This is about encouraging people to use different passwords for different sites. Yes, it is a security risk to trust your browser with your passwords. But I think using the same password for every site is a much bigger risk.

Re:What could go wrong?

[Anonymous Coward]

Google refuses to release the Chrome source code for no real reason. And no, Chromium and Chrome are not the same thing. Given all their recent privacy fuck ups I won't touch any Google-branded piece of software (or service for that matter) with a 10ft pole.

--
Marcan, asshole [mailto] and proud.

Not needed

[scdeimos]

Anyone who cares about having different passwords for different sites will already be using a password database manager such as KeePass. Most password database managers also have random password generators. This is Google's solution in search of a problem.