Google's Strong Password Generator For Chrome Under Development
Now, I don't think there is any need to introduce the in-numerous risks and responsibilities that come with a password but there also have been equal number of ways to ensure the protection of the password. Now, Google is doing its bit by developing a Strong Password Generator to fix the issue of password theft. Google's long term plan is Browser log-in plus OpenID to secure password but as OpenID hasn't hit most sites yet, Google will be implementing the Browser control authentication it can afford now.
Though Browser Sync and Password Manager have been around for a while now, they still let users know their password, which might make them vulnerable to attacks like phishing. Google's solution is to make users devoid of their passwords completely. To accomplish this, Chrome needs to know when a user is on a page that is meant for account sign-up. This is achieved via heuristics (i.e. there is an account name field and two password fields).
#-Link-Snipped-#
After determining that it is a sign-up page, Chrome adds a small UI element to the password field. User can choose to click on the element which would pop a small dialogue box as a result. The box would have the random password generated by Chrome which it thinks would be suitable for them. Most sites have conditions when it comes to filling in password boxes,  (e.g. must have one digit, must be alphanumeric, must be between 6 and 20 characters), so users might need to change the password generated if it doesn't fit the site's requirements. After the prompt is accepted, both the password fields are populated by Chrome.
There are a number of shortcomings which are still under work such as the situation where signup field has autocomplete = false. Also, Chrome needs to differentiate between updating password and sign-up page though both pages will use approximately the same heuristics. In case of an update, the Chrome browser would either refill the old password or user can click on the UI element and follow the procedure described above.
Because Chrome manages the passwords, users are unaware of it but there are cases of exceptions where user would need to know the password, for example, when using a different browser. In such a scenario, Google will provide a site similar to Valentine where users can sign in and view (and possibly export?) their passwords. This information would be secured behind a Captcha and users might also be prompted to enroll in StrongAuth when they first start using this feature.
Many would worry that this would shift all password theft attacks at Google but Google believes that it's easier to make logging into Google more secure via StrongAuth than doing so for every other site. Anyhow, Google mentions the possibility of automatically changing all the users if and when their account is hijacked.
Source & Image Credit: Password Generation - The Chromium Projects
Though Browser Sync and Password Manager have been around for a while now, they still let users know their password, which might make them vulnerable to attacks like phishing. Google's solution is to make users devoid of their passwords completely. To accomplish this, Chrome needs to know when a user is on a page that is meant for account sign-up. This is achieved via heuristics (i.e. there is an account name field and two password fields).
#-Link-Snipped-#
After determining that it is a sign-up page, Chrome adds a small UI element to the password field. User can choose to click on the element which would pop a small dialogue box as a result. The box would have the random password generated by Chrome which it thinks would be suitable for them. Most sites have conditions when it comes to filling in password boxes,  (e.g. must have one digit, must be alphanumeric, must be between 6 and 20 characters), so users might need to change the password generated if it doesn't fit the site's requirements. After the prompt is accepted, both the password fields are populated by Chrome.
There are a number of shortcomings which are still under work such as the situation where signup field has autocomplete = false. Also, Chrome needs to differentiate between updating password and sign-up page though both pages will use approximately the same heuristics. In case of an update, the Chrome browser would either refill the old password or user can click on the UI element and follow the procedure described above.
Because Chrome manages the passwords, users are unaware of it but there are cases of exceptions where user would need to know the password, for example, when using a different browser. In such a scenario, Google will provide a site similar to Valentine where users can sign in and view (and possibly export?) their passwords. This information would be secured behind a Captcha and users might also be prompted to enroll in StrongAuth when they first start using this feature.
Many would worry that this would shift all password theft attacks at Google but Google believes that it's easier to make logging into Google more secure via StrongAuth than doing so for every other site. Anyhow, Google mentions the possibility of automatically changing all the users if and when their account is hijacked.
Source & Image Credit: Password Generation - The Chromium Projects
Replies
You are reading an archived discussion.
Related Posts
Credit cards have made payments easier, no doubt. The ease of carrying around a credit card and the smart service has made it's use ubiquitous in today's world. Soon enough,...
If the study by National Physical Laboratory is verified, the definition of Kilogram will change soon. The parameter for measuring one of the fundamental units of SI system is presently...
Microsoft has rolled up its sleeves to make their personal cloud service 'SkyDrive' the world's hard drive. That is, a personal cloud service tightly integrated with all the Windows machines...
Sony PS Vita, the handheld gaming console, which was launched in Japan in December 2011 sold over 300,000 units in the first few days itself. Now, a day before PS...
NVIDIA, along with Chinese phone maker company ZTE, is ready to mark its presence in mainstream smartphone market with their new phone ZTE Mimosa X. It is the first Android...