Google Chrome May Soon Use 'AI' To Replace Compromised Passwords (arstechnica.com) 46
Google's Chrome browser might soon get a useful security upgrade: detecting passwords used in data breaches and then generating and storing a better replacement. From a report: Google's preliminary copy suggests it's an "AI innovation," though exactly how is unclear.
Noted software digger Leopeva64 on X found a new offering in the AI settings of a very early build of Chrome. The option, "Automated password Change" (so, early stages -- as to not yet get a copyedit), is described as, "When Chrome finds one of your passwords in a data breach, it can offer to change your password for you when you sign in."
Chrome already has a feature that warns users if the passwords they enter have been identified in a breach and will prompt them to change it. As noted by Windows Report, the change is that now Google will offer to change it for you on the spot rather than simply prompting you to handle that elsewhere. The password is automatically saved in Google's Password Manager and "is encrypted and never seen by anyone," the settings page claims.
Noted software digger Leopeva64 on X found a new offering in the AI settings of a very early build of Chrome. The option, "Automated password Change" (so, early stages -- as to not yet get a copyedit), is described as, "When Chrome finds one of your passwords in a data breach, it can offer to change your password for you when you sign in."
Chrome already has a feature that warns users if the passwords they enter have been identified in a breach and will prompt them to change it. As noted by Windows Report, the change is that now Google will offer to change it for you on the spot rather than simply prompting you to handle that elsewhere. The password is automatically saved in Google's Password Manager and "is encrypted and never seen by anyone," the settings page claims.
No AI involved. (Score:5, Insightful)
The article elaborates on this point: nothing about this feature seems to need or use AI. So, if it does wind up being categorized as an AI innovation, that's just pure marketing hype.
Not surprising, the latest trends in AI have been far more marketing hype than anything else. Including my favorite: redefining "AGI" to mean "used to make lots of money." instead of anything that would even suggest "general intelligence."
Re: (Score:2)
It's just so mind numbingly stupid. The marketing droids out there don't even understand what the hell "AI" is. Then they redefine AGI so it's some kind of deus ex machina. I think someone needs to strap these market droids into a not so comfortable decrepit Lazy-Z-Boy and force them to watch the entire Terminator series followed by The Matrix. Hell, I think they should have to sit through the Terminator 3 nuclear missile launch scene on loop for at least a half hour.
Re:No AI involved. (Score:4, Interesting)
Re: (Score:2)
A Grand Illusion?
(improvements welcome)
Re: (Score:2)
A Grand Illusion?
(improvements welcome)
Now I have the song running through my head. Don't think I've heard it in over 30 years
Re: (Score:2)
It's the same nonsense as with the Google+ fiasco. Everything has to be AI whether it makes sense or not.
Re: (Score:2)
The article elaborates on this point: nothing about this feature seems to need or use AI. So, if it does wind up being categorized as an AI innovation, that's just pure marketing hype.
Not surprising, the latest trends in AI have been far more marketing hype than anything else. Including my favorite: redefining "AGI" to mean "used to make lots of money." instead of anything that would even suggest "general intelligence."
First thing I thought of. It seems like years that my Macs would tell me if I was using a compromised password, long before the AI buzzword Bingo world.
Re: (Score:2)
Figuring out how to interact with a random web site and navigate the password change subsystem is the kind of task AI is decent at. Non-AI solutions like “define a standard protocol that all websites will need to implement” runs headlong into the “all websites will not do a single damn thing” problem. Using heuristics and “advanced guessing engines” to kind of sort of figure out how
what AI (Score:2)
Automated password change is fine. Probably a good idea. But this could happen without anything related to LLMs or generative AI being involved. Google already detects passwords found in data breaches and tells you to change them.
Re: (Score:2)
Yeah, this sounds more like 'neat Chrome plugin' than 'AI'.
Re:what AI (Score:4, Insightful)
Automated password change is fine. Probably a good idea.
Not always. I intentionally use crappy passwords for offline internal networks that are not routable to/from the public Internet, because being able to give someone that crappy password off the top of my head is more important than securing something that could only be attacked by physically walking up to the switch and plugging in a computer right in front of our faces.
I guarantee passwords like "admin" show up in data breaches all the time. Do I care? No. Would I be pissed off if some browser decided to helpfully change it, and then I couldn't access it from another device that wasn't using that browser from that account? Oh, yes. Breaking access to production systems during a live shoot is the fastest way to get your browser perma-banned from my show network in one easy step.
As long as there is explicit user consent prior to making the change, I have no problem with it, of course.
Re: (Score:2)
" I intentionally use crappy passwords for offline internal networks that are not routable to/from the public Internet"
At work we have a bunch like that including some gear where the vendor is long out of business but the stuff just keeps on working & there's scant money to replace whatever it is.
Some of our less technical groups struggled to manage some old gear where the UI was Java-based & browsers wouldn't load such old applets & the PC were blocked from using older Java versions or even por
Re: (Score:2)
... But this could happen without anything related to LLMs or generative AI being involved. ...
Totally agree. But, that said, one has to start somewhere when rolling out solutions based on a new system/language/paradigm. LLM/AI may have been used to figure out how to do the password change on every disparate provider (it's never the same on every site), which is something that would take a human a fair bit of time, and would require constant updates and patching to keep it working. I'm not involved with this in any way, FWIW, but I'd bet this is a good real world use of it, where they have to includ
Re: (Score:2)
No, automated password change is NOT fine. A browser has no idea what that password is, why it is what it is, where else it may be used, who else may need the password, and more.
Re: (Score:2)
Chrome's password manager doesn't store your passwords in the browser. They're in google's cloud storage and they're encrypted. If you use google's password manager, you can always reset the compromised password. I don't use it for work at all, since we have our own password management system, but even if it did, I'd say it's better to have to reset a password than to have a compromised one out in the open.
Re: (Score:2)
That's only true if you link Chrome to a Google account, and also assumes you only use Chrome linked to that account for browsing (no other browser, no other account). That's a very "give Google your life" approach.
But part of the problem is also the assumption that a known password is "compromised" and "out in the open". I reset a managed switch to factory defaults (in preparation for selling), and Chrome kept trying to get me to change the password. It's on my local network (so not "out in the open"), it'
Pointless (Score:4, Insightful)
Suggestions for secure passwords have been around for a while. The problem is they are worthless for something that a human might remember. Just relying on the browser to store your password isn't very helpful because your access is dependent on that device. It sounds like this is just a way of forcing you to use Google's password manager, which makes you dependent on Google for access to everything.
Re: (Score:3)
I was going to say the same thing: How is having a password that the user doesn't know any different from just using SSH keys?
This problem has already been solved. Passwords are used because remembering a password is less of a hassle than teaching the average user how to use, safeguard, and copy SSH keys. Creating a password that nobody knows isn't any more secure, except in that it possibly locks the user out of accessing their accounts from their phone.
Re: Pointless (Score:2)
Re: (Score:2)
Suggestions for secure passwords have been around for a while. The problem is they are worthless for something that a human might remember. Just relying on the browser to store your password isn't very helpful because your access is dependent on that device. It sounds like this is just a way of forcing you to use Google's password manager, which makes you dependent on Google for access to everything.
So much this. while a password like W3a5-dDOU-u1kv7-wDgjo is pretty good, people should use passphrases. Just as good - and you can make them pretty long. Sprinkle in a couple special characters, and then you can remember it
Re:Pointless (Score:5, Funny)
a password like W3a5-dDOU-u1kv7-wDgjo is pretty good
That's amazing, I have the same combination on my luggage!
Sorry, couldn't resist.
Re: (Score:2)
You couldn't resist what? Incompetently referencing a second-rate joke from an old budget parody movie? The "joke" wasn't that two people shared the same password, dipshit.
Wait... have you been laughing about a joke you didn't understand for the last 30 years?
That 'Funny' mod wasn't someone laughing with you, it was someone laughing at you.
Give it a rest, festering asshole. Your dreary unsuccessful life of self induced misery that causes you to fly into a rage because your dead blackened soul not only ensures your misery, but when some people are actually enjoying life and interacting in a friendly manner causes you a shittin hemorrhage.
Fear not though, as the rest of us find your misery and lame attempts to lash out at people having friendly conversation amusing, and a fitting justice for being such a waste of sperm, which should have e
Re: Pointless (Score:2)
Give it a rest, festering asshole.
I'm surrounded by assholes!
Re:Pointless (Score:4, Insightful)
Yeah, I also don't want my Netflix password changed to ^YYTG#YUHYUgsdsF% automatically because it just happened to find a password that looks like mine in a list of 50 million passwords, and then have to enter that new terrible password a dozen Smart TV's and other devices that don't use Google's password manager on screen keyboard. Opt me out of this "security enhancement", thanks.
Marketing BS (Score:2)
Wow! Amazing! Right? Maybe not.
Re: (Score:2)
It's like when everyone was putting " blockchain " in their company name to capitalize on the average moron's cursory understanding of blockchain technology.
I don't remember this in the slightest. I imagine it was just the crypto-bros doing it in a sad attempt to get normal people to care... or to even notice.
AI-powered condoms - putting brains in your head (Score:3)
Already several posts above mine, all with the same observation - what does this have to do with AI?
User logs in or connects. Look up username in database of compromised passwords. Find a match? > prompt user to change password - OR - now, a new service, we will change it for you.
That's nice - a good idea and considerate service from one point of view, perhaps another layer of security risk from other points of view. Either way, it seems like a simple task using rudimentary programming principles used since whenever.
Aside from the apparent nonsense and marketing-hype behind this, here is what got my attention :
It seems like hardly a day goes by now that some service provider or vendor hasn't put up an ad saying that their new gizmo, or their old products recently updated, now use AI for this-that-the other. Many of these new or revamped products make no sense as needing AI, as in this article. Even those that seem like a good fit to AI, I don't get how they incorporated the technology in a meaningful reliable way as quickly as it seems.
It has only been about 2 years since AI became "public" through open LLM's or commercial services. IT and tech people are losing jobs in general, which lately has been interpreted in part as "jobs displaced by AI" but plenty of other factors as well. If all of these companies are enabling AI in their products, how are they finding the time and talent to do so?
I am not in that industry, so maybe I just don't see the situation properly. But it seems unrealistic that many of these companies touting AI-enabled crap could have engineered or re-engineered their products that quickly. And if they did, where did they find the talent or skills to do so on such short notice? ... or in an environment where IT workers are reportedly losing jobs rather than reportedly being rehired or repurposed for AI? ... and if they were, why aren't we seeing a call for more such talent because with all the companies competing on this all at once, manpower should be short and it would be an employees market?. It just doesn't add up. If they have workers already, retrain them for AI, not fire them. If they want to hire already-baked AI workers, I don't see where they are coming from in such a short time frame, and I haven't seen much about colleges or tech schools adjusting their census for massive AI mobilization.
So, for the many of you who are in these industries, please educate me - if a lot, even any of these "try our new fangled AI enabled garden hose and bar soap" claims are realistic, part BS, all BS, or anything tangible versus just marketing vaporware.
Re: (Score:2)
You had to ignore a decade of people complaining about spambots on social media to say this. That's weird.
Google AI (Score:1)
No thankyou (Score:2)
I already get enough of the "hey, your password may have been compromised" messages on my Android phone and I think also in Edge on my PC. I don't want Google or anyone else offering to change that password (or worse, doing it automatically).
Take your digits off of my passwords! (Score:2)
I stole those fair and square and no AI is going to change them without my consent.
Is this vendor lock-in? (Score:4, Interesting)
If Chrome saves this re-write in Google Password, a skilled user can access the password and update his/her password manager. Not pretty but cyber-security continues as normal.
If the owner of the account can never see the new password, the account can only be accessed using Chrome browser and only on a device sharing the same Google/Chrome account. This is vendor lock-in, which also forces all devices to share the one account. We've already seen this problem with Windows 11: A child uses an adult's computer to log-in to his/her account, now the computer always connects to the child's account. (Solution 1: Use another computer to change the password of the child's account, preventing auto-login. Solution 2: Create a new Microsoft online account and slave the adult's computer to it.)
Password Transformation (Score:3)
Re: (Score:2)
Well, one could argue that it's just abstracted a bit. You still have to "know" your password vault's master password.
Re: (Score:2)
Obligatory SpongeBob SquarePants (Score:2)
Whenever I see one of these companies trying to pretend something that could've been done 10-20 years ago was now some magical AI innovation, it makes me think of a SpongeBob SquarePants episode - the one where the Krusty Krab decided to extend their hours. SpongeBob kept announcing the various mundane normal tasks he was doing... except now they were "at night!".
https://youtu.be/m90R7j3D3DM [youtu.be]
Google... (Score:2)
In (google's) Soviet Russia, password guesses you!
Re: (Score:2)
Re: (Score:2)
Totally, but I was trying to be funny.
Your password safe with Google (Score:4, Insightful)
Another reason I don't use Chrome (Score:2)