back to article Google plots Chrome web password maker

Google is developing a password-generating tool that will bolt into its Chrome browser. The technology is designed to painlessly create hard-to-guess passwords when users sign up to websites. Whenever a site presents surfers with a field requiring a password, Chrome will display a key icon, giving users the option of allowing …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    So, in essence

    Google has decided to crib Lastpass and build it directly into the browser. Holy mother of original ideas!

    While not a user (yet) of LastPass, I am curious if its extension has the same autocomplete-disable constraint that Google's approach has.

  2. Witty username
    Trollface

    Wait a minute

    Did Google just call Sony "incompetent"?

    FIGHT FIGHT FIGHT FIGHT

  3. JakeyC

    Mandatory XKCD: Password Strength

    http://xkcd.com/936/

  4. Anonymous Coward
    Anonymous Coward

    Lock in

    This will only work when you're logged into your Chrome Browser/google+ account

    Exporting (if made available) will be to a google Docs document/google + account

    I wouldn't trust google with this level of personal info - your bank account log in? No thanks

    1. Anonymous Coward
      Big Brother

      Re: Lock in

      "I wouldn't trust google with this level of personal info - your bank account log in? No thanks"

      ... but you trust your bank? ;)

      there's irony in this day-and-age.

  5. Lunatik

    Good. Recent security updates have blocked my bookmarklet password generator from working on many sites. I can still use it but there are a couple of extra steps needed.

    All I'll need to do to start using the Google one is change my password on every site I've registered with in the last three years. Oh wai..

  6. Anonymous Coward
    Anonymous Coward

    Trust Google?

    Don't fancy trusting a company with a proven record of intentional privacy violations

    https://www.eff.org/deeplinks/2012/02/time-make-amends-google-circumvents-privacy-settings-safari-users

    and whose boss dismisses the importance of privacy

    https://www.eff.org/deeplinks/2009/12/google-ceo-eric-schmidt-dismisses-privacy

    No thanks google. I'm not as stupid as you'd like me to be

  7. mmm mmm

    I'm going to carry on using Lastpass.

  8. Anonymous Coward 15
    Devil

    Sony: Malicious or incompetent?

    Tough one.

  9. DrXym

    Password safe works for me

    I put my password safe in a dropbox folder and then I can access it and sync it from any machine.

    I generally assign a site to tier of importance that determines how much effort I expend making the password and id unique. Blogs and forums are generally the bottom of the heap with some exceptions. Then it's stores like Amazon. Then it's email servers. The it's payment services like PayPal. Then it's banks which normally have their own second level security system on top.

    So most of the time I get by with a few throwaways but the closer to the top of the heap, the more effort goes into the process. And password safe is there to remind me what the hell password I set or the challenge questions when I invariably forget.

    OpenID is certainly a useful adjunct to all this, as is PayPal. I think the issue to consider of single sign on, especially Google is you are tying all your online activity to a identity. That may be convenient but its certainly not without its own price in terms of privacy or your reliance on Google (or Yahoo etc.) for your identity going forward. For example, what would happen if someone hacked your account and it was terminated? Would you suddenly lose access to your other sites? At least if they were manually created then the answer is no you wouldn't.

  10. Anonymous Coward
    Anonymous Coward

    All your passwords are belong to Google

    Is there a shred of personal info left that this company won't probe?

  11. Craigness

    Already doing it!

    The password creation feature is new but chrome has been offering to store passwords for a while now. You can have them encrypted with your email password or with a separate one.

    If someone hacks your email (whether or not it's gmail) then you are vulnerable because all they have to do is visit various websites and ask for a password reminder.

  12. Mike Flugennock
    Devil

    Gawker: malicious or incompetent?

    A large dollop of both, I'd say.

    I say this as a former Gawker account holder -- not "former" in the sense of having to create a new password after the big password hack a few years ago, but "former" in the sense of becoming fed up with having to fight my way through buttloads of skyscrapers, "sponsored posts", and Flash interstitials that block out the menu and keep you from navigating the site until they've finished playing... and, mind you, this is _with_ NoScript, FlashBlock and AdBlock enabled.

    I wasn't the least bit surprised at the news of the Gawker password hack at the time; to me, it was no wonder their users' passwords were pwned as their programmers seemed entirely preoccupied with finding new ways to annoy the shit out of their users by shoving advertising in their faces at every possible opportunity. Needless to say, it's been a couple of years since I've been back there.

  13. Anonymous Coward
    Anonymous Coward

    You don't need anything stored in the cloud, nor the browser autocomplete database.

    You don't need anything stored in the cloud, nor the browser autocomplete database. Chrome should just distribute with this extension instead: http://passwordhasherplus.com

  14. OffBeatMammal
    Thumb Down

    LastPass does this, and more

    I guess the question "why would you use this instead of LastPass" can be answered by "Oh, I didn't know about LastPass".

    the Google alternative scares me for a few reasons, but privacy issues aside being locked to a single browser seems like a dumb choice (what if I want to log into that site in Safari on my iPad... what hoops do I have to jump to get my password). LastPass also plays well with others... I use my YubiKey token to authenticate on a machine to prove it's me autocompleting passwords... are Google going to tie this to a 2 part authentication using an Android?

    The problems that both of them face today are:

    - site specific rules: how do you auto-generate a password reliably unless you know that the site wants "at least 6 characters, a mixture of upper and lower case, at least one digit and the only special characters allowed are #!$%"

    - Multi-page sign-in processes: My bank uses a 3 page sign in process and LastPass copes but I had to set up three entries (one for each page). It needs to become more elegant!

    - Rules based form completion: Two of the financial sites I use most days have implemented forms where they ask you to "Enter the First, Third, Fourth and Last letters of your password"... sadly LastPass don't seem to have the trick of auto-filling forms like that yet (though eWise do manage it for most of their supported institutions)

    Passwords in general suck. Sites that make me create a whole new identity to post one comment suck even more... OAuth isn't perfect but (like OpenID before it) is a step in the right direction...

    1. foxyshadis
      WTF?

      Re: LastPass does this, and more

      Financial web sites in general all have the most painful and useless password rules, presumably under the impression that if they make it too hard for legitimate users to get in, there's no way an attacker would ever be able to. Banks don't and never have understood network security, they're still grappling with the idea that a vault isn't enough.

      Even the most progressive ones still have absolutely asinine password rules, like you can't use any of one set of symbols but you MUST use at least one of another random set. Oh, and any customer service rep will be able to tell you it over the phone, of course.

      Ah well, I love my Password Maker, and LastPass is about the same thing. At least they're available just about everywhere, unlike Chrome, and don't require a network connection, unlike most password keepers.

  15. Anonymous Coward
    Anonymous Coward

    LockNote is handy

    http://sourceforge.net/projects/locknote/

    I don't think I'll be using a system which gives Google a means to see my logins and which requires Chrome.

    1. Anonymous Coward
  16. Anonymous Coward
    Mushroom

    The whole thing sounds silly, I feel for punters who share their passwords with Google and are locked into Google's browser.

    What's next, Google nuclear launch codes storage, for easy Cloud--based management of your nuclear arsenal?

    I see where Google is going with this - lock-in, lock-in, lock-in - and don't like it one bit.

    1. Craigness
      FAIL

      You're allowed to write the password down. Nothing here locks you into Google's browser.

    2. Anonymous Coward
      Anonymous Coward

      Google wants to lock you in

      Amazon wants to lock you in

      Microsoft wants to lock you in

      Apple wants to lock you in

      I suggest you just quietly sit in the corner with your tinfoil on and nobody will get you...

      Oh yeah and don't bother getting any metallic fillings either

      1. Anonymous Coward
        Anonymous Coward

        Oh come on, can't you see what's going on?

        "until more websites support OpenID, which Google views as a long-term solution to the problem"

        Obviously Google wants to turn into login central of the web. This is just one step closer to that goal.

        1. Craigness

          --ath

          Why so "worried" about Google when everyone here is using Lastpass and Facebook is already the "login central" for the web? Can't you see what's already happened? Do you really have to manufacture this google hatred on every article?

  17. Anonymous Coward
    Anonymous Coward

    pwgen ?

    Finally, about time. As people mentioned, its most likely going to be a locked-in feature, but still a useful one IMO.

    Its the one thing I never could understand with Firefox and derivatives.. they already had a password vault, why could we never export said data and why hasn't anyone come up with the idea of adding some kind of pwgen program ?

    Since the browser is open the whole time the plugin would have plenty of time to build its random pool, thus being able to come up with decent passwords. The ability to both generate and store these could have been a very helpful combination.

  18. Wintermute

    LastPass

    Go search the Security Now podcast archive on GRC. There's an episode about LastPass where Steve Gibson explains why it is cryptographically strong. LastPass is the solution. It's been out there for years. If you are not using it, then you are really missing out.

    1. Anonymous Coward
      Anonymous Coward

      Re: LastPass

      http://attrition.org/errata/charlatan/steve_gibson/

  19. Anonymous Coward
    Alert

    The title is over there somewhere

    I use Keepass(x) for storing my passwords but generate my own, at least 16 characters long (some websites don't like long passwords, banks included). this is my choice. I have heard of lastpass, just never used it. I shall have to have a look at it.

    Google will only have your passwords if you let them have them. However a password generator is a good idea as long as you can keep a copy somewhere preferably encrypted. However, with all those usernames and passwords in one place they will make Google a bigger target than ever.

    @Craigness - yes Facebook is everywhere. With 800 million plus users it is close to login central, maybe more so than Google. Fortunately I am not on Facebook. It was good in the beginning but then went downhill, so I left. Deleted my account. No I don't have any Google accounts either. Never will.

  20. Robert Grant

    Website must support autocomplete?

    Autocomplete is nothing to do with the website; it's a browser thing. You can request that the browser disables autocomplete with a nonstandard (for HTML4) attribute, but the browser can ignore this if it chooses. I think possibly what you mean is if the site has dynamically generated IDs for its fields then it won't work?

This topic is closed for new posts.

Other stories you might like