Google Working On Password Generator For Chrome

Trailrunner7 writes "Google is in the process of developing a tool to help users generate strong passwords for the various and sundry Web sites for which they need to register and authenticate. The password-generator is meant to serve as an interim solution for users while Google and other companies continue to work on widespread deployment of the OpenID standard. The tool Google engineers are working on is a fairly simple one. For people who are using the Chrome browser, whenever a site presents them with a field that requires creating a password, Chrome will display a small key icon, letting the users know that they could allow Chrome to generate a password for them."

Re:What could go wrong?

[rtb61]

Let's take this argument to it's realisic conclusion - Google Chrome password lockin. What easy access to you web site, you better stick to using Chrome or else look forward to pen and paper copying 20 random characters, including numbers, letters, capitalisation and special chars, with different passwords for each and every site you connect to, get one char wrong and your stuck. Some like banks will definitely not email you a replacement password so that you can immediately reconnect.

Easy solution go with pass phrases they are easier to remember, words between 4 and 6 characters long, three words, that's 12 to 18 chars, those with mixed language capabilities have a slight advantage and only so "Googleveryobvious" and your done ;).

Re:What could go wrong?

[EdIII]

I can see there being some kind of lock-in, albeit not the one you are talking about.

Random password generation is useless on its own. I can't even remember 20 random alphanumeric characters and I have a good memory.

What is required when you do that is a password vault of some kind. Plenty of software available to do this for you. Chrome will already remember your passwords, but I can see them syncing that with your Google profile. They might already, I don't use Google for anything religiously.

That could be the lock-in. All of your passwords are stored in the "Cloud" with Google. However, I am sure they would provide a secure export adhering to some standards (theirs) that other vendors could read (after circumnavigating some documentation more fucking complicated than the plans for the Death Star). Sorry, I do API programming for some Google products and I find their documentation a little lacking in some places and not well organized.

My biggest issue is with Open ID. I will never, ever, participate in a system where you authenticate with a company where you are not the user, but the product. That's not security. Regardless of whether it is Google, having all that authentication in one spot is a bad idea. One password to rule them all, One password to bind them all, and in the darkness where you fucking lose it you get bent over by some sociopath in Russia who will own your ass and use it to pay for Vodka and teenage Russian hookers.

Unless, I am explicitly told by a client, after they ignore all my recommendations, will I integrate a centralized authentication scheme. Just poor security, but others will disagree I am sure....

Ohhhh, I almost forgot :)

YouTube API was offline for over 3 hours yesterday. Got a ton of emails about it and I looked at the response code coming back and it was ServiceUnavailable. No problems with our system, from what I could tell from the logs. Calls just started working again a few hours later with no code changes.

So if I do integrate Open ID, what guarantees do I have that the service will reasonably be available? How do I tell a user that the reason they can't authenticate is because one of the largest companies in the world has products in perpetual beta for free and I can't complain because it is free?

Do you think any user that complained yesterday believed Google was at fault or our system? Seriously, why even bother sending out a service impact notification that people might not even believe. With just a few hours I let them think it was just a spike in our load and it took longer than normal to upload.

Re:xkcd

[Zarel]

Really, Slashdot? 4, Insightful for a comment that has no idea what it's talking about? All you need to do is read the Wikipedia article you link to:

Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), single words found in dictionaries or simple, easily-predicted variations on words, such as appending a digit.

Emphasis mine.

A dictionary attack is a fast way to crack a password consisting of a single word. The conventional wisdom of how to thwart a dictionary attack is to replace letters with symbols and append a few more symbols to the end. Randall's comic is intended to establish that simply using more than one word will thwart a dictionary attack much more effectively.

His comic does this by calculating entropy. His estimates of "3 days" and "550 years" are the theoretical best time to crack the password, and already take into account that English words have lower entropy than their constituent characters. Actual attacks such as dictionary attacks are slower than these theoretical best estimates.

Re:What could go wrong?

[WrongSizeGlass]

Just an extension? Not core functionality? Meh.

released a “Do Not Track” extension for Chrome called Keep My Opt-Outs that blocks advertisements that are based on browser history.

So it blocks the advertisers people have 'opted-out' from? What about all the sneaky bastards that users a)don't know about or b)don't provide an opt-out option?

Google isn't necessarily Evil, but it has proven itself untrustworthy. They are the ones who benefit most from tracking, so I'm going to vote with my browser and email provider choices. I'm not bashing Google, but these days their actions have overshadowed their motto of Do No Evil.

Re:What could go wrong?

[modmans2ndcoming]

Right...they have even done studies where they found they can uniquely identify a PC with a high degree of certainty using only the data that is available as part of the HTTP headers. Sure...they do not know your name or anything, but who needs to know a name when they can simply see your behavior and advertise accordingly?