Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Chrome Google Security The Internet Technology

Google Working On Password Generator For Chrome 175

Trailrunner7 writes "Google is in the process of developing a tool to help users generate strong passwords for the various and sundry Web sites for which they need to register and authenticate. The password-generator is meant to serve as an interim solution for users while Google and other companies continue to work on widespread deployment of the OpenID standard. The tool Google engineers are working on is a fairly simple one. For people who are using the Chrome browser, whenever a site presents them with a field that requires creating a password, Chrome will display a small key icon, letting the users know that they could allow Chrome to generate a password for them."
This discussion has been archived. No new comments can be posted.

Google Working On Password Generator For Chrome

Comments Filter:
  • xkcd (Score:4, Insightful)

    by Zaldarr ( 2469168 ) on Saturday February 18, 2012 @11:38PM (#39090593) Homepage
    http://xkcd.com/936/ [xkcd.com] Randall has it all sorted. Just use a whole lotta entropy.
    • by Mashiki ( 184564 )

      It works, and works well. My SSID login is 27 characters and I can remember it without a problem. My secondary password after I use my RSA token? Usually 3 tries before I remember because we have a password policy of upper/lower case mixed with alpha-numerics, which must be between 8 and 30 characters in length. We change these every 18 days.

      Brain...hurts...especially for someone with very poor short and medium term memory problems. Of course it's an automatic disciplinary issue if you write any of th

    • The math is SOOOOOOOOOO wrong it isn't even funny.

      The alpha cap and lower case letters gives you 52 bits....then you add the numbers.....that is 10 more to the total...then the special characters and punctuation (he used an &).. another 30.... so the total bits are 92.

      so for 11 characters.....11*2^92 = 54469361728556732095561465856 possible combinations for the pass word length.

      1000 guesses a second means it will take 863,606,064,950,480,912 years mean time to brute force that password. (50% chance of

      • The math is SOOOOOOOOOO wrong it isn't even funny.

        The alpha cap and lower case letters gives you 52 bits....then you add the numbers.....that is 10 more to the total...then the special characters and punctuation (he used an &).. another 30.... so the total bits are 92.

        so for 11 characters.....11*2^92 = 54469361728556732095561465856 possible combinations for the pass word length.

        1000 guesses a second means it will take 863,606,064,950,480,912 years mean time to brute force that password. (50% chance of guessing the password before the end of the list of possibles)

        increasing the guess rate by 25 orders of magnitude would weaken the password considerably, but it would still be pretty good at 863 years.

        You are of course referring to the "math" following your initial statement, right? And it was sarcastic, right? I hope . . .

  • Its plugin is not quite seamless, but it works smoothly enough with Safari and Firefox. They're working on Chrome and Opera plugins, but they aren't there yet.
    • KeyPass 2 plugs into Chrome quite nicely. There's also an android version, which is nice for when I'm not at a computer I control.

  • by Todd Knarr ( 15451 ) on Saturday February 18, 2012 @11:44PM (#39090613) Homepage

    The problem I see is the increasing number of sites (eg. Sony's online game support sites) who "for security reasons" block browsers from auto-completing password fields. Which IMO actually decreases security, it increases the number of times a keylogger could see my password and it makes it harder to use high-difficulty (and difficult to remember) passwords.

    • This really bugs me too. If a site lets my browser store the password, then I store it in the keychain, where it is encrypted and protected by an ACL so nothing other than the browser can get at it. If a site doesn't let my browser store a password then I also store it in the keychain, but now I transfer it to the browser via the clipboard where any app can see it.
      • by Rich0 ( 548339 )

        That's why I use lastpass - it ignores this setting. I tried hacking the chromium source to block it, but it was too much of a pita, especially since it gets updated every two weeks it seems. Plus, it is multi-browser...

    • by jonwil ( 467024 )

      You could always use an open source browser (Chromium, Firefox, whatever) and modify it to ignore the "do not automatically store data for this form" attribute in the HTML form tag.
      Or you could write a browser plugin or other tool that is designed to strip that attribute.

      • I agree with the sentiment that preventing autocomplete is stupid behavior. I find it mildly offensive that the browser enforces this, without option to turn it off, since it is supposed to be acting on my behalf. "Fix it yourself" is generally not a very helpful answer. However, in this case, I eventually did fix it myself (after I read how).

        There are bookmarklets floating around which will force autocomplete for a page, but you have to load the page, then hit the bookmarklet, and it's not (that I've se

  • by smoothnorman ( 1670542 ) on Saturday February 18, 2012 @11:48PM (#39090627)
    "What do you want Google? The Key of Orthanc, or perhaps the keys of Barad-dûr itself, along with the crowns of the seven kings, and the rods of the five wizards?"
  • OpenID (Score:5, Informative)

    by IGnatius T Foobar ( 4328 ) on Saturday February 18, 2012 @11:51PM (#39090643) Homepage Journal
    The interesting thing about OpenID is that the vast majority of people who use it, don't even know that they're using it. When I added support for OpenID 2.0 to my website, I found that the vast majority of takeup was from people who pushed the "Log in with Google" button. There's nothing special about that button, it just automatically fills in the known OpenID for Google. There are buttons for AOL/AIM and Yahoo too, as well as the "enter your own openid" of course, but the vast majority of people who use it, are going with Google.

    So you can safely ignore the naysayers who claim OpenID is dead and there wasn't any takeup. It's huge, it just didn't take the form most people imagined.
    • I'm sure Google loves OpenID. Now, not only do they get to track IPs and cookies from the various sites that use Google Ads or Analytics, they get to correlate multiple online identities on unrelated sites and build a detailed profile about a person. OpenID, sadly, isn't dead, but that doesn't mean it isn't a bloody stupid idea.
      • That's why I use my Ubuntu account [launchpad.net] instead of my Google account when I want to log in somewhere with OpenID. Is Canonical likely to track me and do evil things with the information?
        • Probably not, but now two unrelated sites can still cooperate to identify you between them. If you log in anywhere that uses your OpenID address as a public identifier then so can any crawlers. As I said in another post, a well-designed version of OpenID would have the authentication server provide no more assurance than that the same person attempting to log in twice was the same person. It would not provide any information that could tie this person to another account on an unrelated system.
      • Also, OpenID allows for more then just login -- it's extended for "profile exchange" and more. Ideal for Google, and all large companies, unlike https://browserid.org/ [browserid.org] or other schemes.

  • I don't understand (Score:4, Insightful)

    by Superdarion ( 1286310 ) on Saturday February 18, 2012 @11:52PM (#39090655)

    I just don't get it. How will this help? It's not that people can't generate random paswords (see, here's one: !wef112SFAWffx9). It's just that they can't be bothered to even try to remember such things. People choose "1234" because they don't want to make the effort to remember long, complicated passwords. So what does this tool by google accomplish?

    Now, the article is not clear about it, but I think there's gonna be a chrome-embedded tool to manage all passwords. While this is cool, kde and gnome already do it by default in ubuntu (and I assume in other distros that use them). I don't know about windows, but there should be one or two around. If there aren't (or if you really like chrome and wish to grant it control over your passwords), I just don't see how having a explorer-specific tool to manage passwords is a particularly good idea. A OS-wide password manager is much better, like the aforementioned kde and gnome implementations, because it works with whatever you're using, not just your choice of internet navigation software.

    Here's an idea: make a piece of software that doesn't even try to create great random passwords that are very difficult to crack with a computer. Instead, make it create simple passwords that are just a string of dictionary words, easy to remember by a person, hard to guess by another person and, since it's a string of words (and not just the one), hard to crack with a computer.

    • Chrome already has an embedded password manager. I'm with you that it's nicer to have something external to the browser but that plugs into it. But I prefer an external app/format to the OS as well since it's easier to use the password database on whatever platform I need. All that being said, for most Chrome users Google doesn't have much to do with the OS, and something straightforward to use is a step in the right direction for most people.

    • Now, the article is not clear about it, but I think there's gonna be a chrome-embedded tool to manage all passwords.

      Like most (all?) browsers, Chrome already has an embedded password manager. And it's better in one way than the desktop-based PW manager, at least for people who use multiple devices, because Chrome Sync will synchronize your passwords to Chrome on all of your other devices. So you have your passwords everywhere.

  • http://www.cyberciti.biz/faq/linux-random-password-generator/ [cyberciti.biz]

    This might work nicely for those with access to a UNIX/Linux machine...

    • by lindi ( 634828 )
      Unfortunately that does not work nicely. On a multiuser Linux system everyone can see your password by looking at the process list. Here's a proof of concept:

      testi1@lindi2:~$ wget -q http://iki.fi/lindi/watchps.c
      testi1@lindi2:~$ gcc -O2 -Wall -o watchps watchps.c
      testi1@lindi2:~$ echo /lib/x86_64-linux-gnu | ./watchps
      helper got 6738, waiting for 6739

      ...

      testi2@lindi2:~$ genpasswd
      sh88xS5MKUAiGTvk

      ...

      woke up
      cmdline: "/bin/echo sh88xS5MKUAiGTvk "
      helper got 6739, waiting for 6740
    • Or you could use mkpasswd.
  • Does Google Chrome have a cryptographic-grade random number generator with a good source of enthropy? Javascript math.random() is known to be predictable. [trusteer.com] Has someone with respected crypto qualifications checked over the code and signed off on it?

    • Does Google Chrome have a cryptographic-grade random number generator with a good source of enthropy? Javascript math.random() is known to be predictable. [trusteer.com] Has someone with respected crypto qualifications checked over the code and signed off on it?

      Chrome already has facilities for generating random numbers for generation of SSL session keys (or inputs to generation of SSL session keys) and for generation of key pairs. I've never looked at the source, but we also haven't heard about any issues with Chrome in those contexts. I would expect that Chrome uses the OS-provided RNG (e.g. /dev/random) facilities where available.

  • by JakFrost ( 139885 ) on Sunday February 19, 2012 @01:45AM (#39091087)

    Already Exists: http://passwordmaker.org/ [passwordmaker.org]
    Google Chrome: http://passwordmaker.org/Google_Chrome [passwordmaker.org]

    The Problem

    If you're like most people, you have a few passwords that you use over and over again on many different websites. You know this isn't secure, yet you do it anyway. Why? Because it's difficult to remember a unique password for each and every web site that requires one.
    Existing Solutions

    Maybe you do use unique passwords, and get around the problem of remembering them by storing them in a spreadsheet or other file. Maybe you even use one of the many password managers that are available. But now you've centralized your passwords and access to them becomes difficult while at work, a friend's computer, or a public internet terminal. You can't get to your passwords without carrying them around or publishing them on the internet. Some people even carry a USB keychain with their passwords wherever they go. How inconvenient. And publishing them on the internet? Yikes! We need not even mention the security risks inherent with that solution. Even if you trust the company storing the passwords, you can be sure every hacker in the world is drooling over the prospect of accessing their database (Like the LastPass break in of May, 2011 LastPass Announcement).

    Our Solution

    PasswordMaker solves all of these issues. It is a small, lightweight, free, open-source tool for Internet Explorer, Firefox, Google Chrome, iPhone, Opera, PHP, Windows, OS/X, Linux, Flock, Yahoo! Widgets, Android, Python, and many other platforms & systems. It creates unique, secure passwords that are very easy for you to retrieve but no one else. Nothing is stored anywhere, anytime, so there's nothing to be hacked, lost, or stolen. PasswordMaker has been around since about 2003 and so is a mature, stable, popular solution.
    How It Works

    Warning - technical jargon in this section!

    You provide PasswordMaker two pieces of information: a "master password" -- that one, single password you like -- and the URL of the website requiring a password. Through the magic of one-way hash algorithms, PasswordMaker calculates a message digest, also known as a digital fingerprint, which can be used as your password for the website. Although one-way hash algorithms have a number of interesting characteristics, the one capitalized by PasswordMaker is that the resulting fingerprint (password) does "not reveal anything about the input that was used to generate it." 1. In other words, if someone has one or more of your generated passwords, it is computationally infeasible for him to derive your master password or to calculate your other passwords. Computationally infeasible means even computers like this won't help!

    What About Portability?

    For times when you must use one of the rare platforms to which PasswordMaker hasn't been ported, or are using a system where you can't install any software, there's an online version which mimics the extension and works in all web browsers new and old. No downloads or installations are required.

    • It would be so great if this was integrated with Keepass: let it figure out a password when possible, and let me do my stuff when needed.

      Keepass already has a pretty flexible automatic password generator btw.

    • by Chryana ( 708485 )

      This is not the same thing at all... The passwords made by the Google password generator are meant to be truly random, so no access to one website is related to another. On the other hand, all the password this application makes are generated from the exact same password plus domain name (which is obviously known), so if someone knows you use this service and guesses your master password, he has access to all the sites you go to. It is somewhat more secure than using the same password everywhere as long as

  • Not needed (Score:4, Insightful)

    by scdeimos ( 632778 ) on Sunday February 19, 2012 @04:24AM (#39091259)
    Anyone who cares about having different passwords for different sites will already be using a password database manager such as KeePass. Most password database managers also have random password generators. This is Google's solution in search of a problem.
    • A lot of people don't bother to download keepass and use it. This is a solution for people who otherwise wouldn't bother, so in that respect it would improve security.

      OFcourse, only where the breakins involved password hacking. Most of the time it involves downloading malware.

      • so integrate it - let Chrome generate passwords (using keepass' quite good generator) and store the resulting password (plus site info etc) into a keepass DB. Then you can also use the passwords in different browsers and back them up a lot easier.

    • by Rich0 ( 548339 )

      Would love to use keepass, but it doesn't support all the platforms I'm running on. I'm stuck with Lastpass until that changes. I need support for Chrome on Windows/Linux/ChromeOS, and Chrome and the Android Browser on Android...

    • Anyone who cares about having different passwords for different sites will already be using a password database manager such as KeePass. Most password database managers also have random password generators. This is Google's solution in search of a problem.

      Or Google's attempt to convince more people to use diverse passwords, to push this good security practice out to a broader user base.

  • Great, now hackers has a single point of attack to lift passwords. Imagine hooking a function call to the generation plugin which sends every password and username back to the attacker....

"Now here's something you're really going to like!" -- Rocket J. Squirrel

Working...