Google is in the process of developing a tool to help users generate strong passwords for the various and sundry Web sites for which they need to register and authenticate. The password-generator is meant to serve as an interim solution for users while Google and other companies continue to work on widespread deployment of the OpenID standard.
The tool that Google engineers are working on is a fairly simple one. For people who are using the Chrome browser, whenever a site presents them with a field that requires a password, Chrome will display a small key icon, letting the users know that they could allow Chrome to generate a password for them.
“Detecting when we are on a page that is meant for account sign up will be most of the technical challenge. This will likely be accomplished via heuristics (i.e. there is an account name field and two password fields). If we determine that this is a signup page, then we will add a small UI element to the password field. If the user clicks on this element, we will pop up a small dialogue box next to field asking the user if they would like Chrome to manage this password for them,” the project page on Chromium Projects says.
“If they accept the prompt then we pop up a small box which is prepopulated with what we think is an acceptable random password. The reason we don’t just choose a password for them is that many sites have requirements (e.g. must have one digit, must be alphanumeric, must be between 6 and 20 characters) some of which may be contradictory between sites. So we will choose a default generator that will work on most sites, but users may need to change our password if it doesn’t work. We can skip this for sites that have ‘pattern’ set on the password field. Long term we can hopefully also gather some aggregate information from UMA users about the form of passwords they generated so that this whole process can be skipped for the vast majority of sites.”
Password management has become a major pitfall for many users in recent years as the number of sites that require authentication has exploded. As users have been required to register with more and more sites and services, including mobile apps and games, many of them have naturally tended to re-use passwords and use weak or easily guessable ones. This has been a boon for data thieves who, after stealing a database of usernames and passwords from one retailer or Web site, find that they often can compromise any number of other accounts belonging to those victims simply by re-using the passwords.
A variety of services and products have emerged to help address the problem of password generation and management, including applications that will generate random passwords or store existing passwords in an encrypted form. But the problem has persisted.
Google’s password generator, which is in the development stage, won’t be able to protect users in every scenario. It’s meant for use in situations where users are signing up for a new service or need to set a new password. In situations where a user is simply signing in to an existing account, it won’t be of use. It also may not protect against a majority of phishing sites.
“Any website that has autocomplete turned off will not be able to be protected. Going by current phishing attacks, this means that 40-70% of phishing pages can’t be protected against. Once this feature is rolled out we probably want to see if we can get around this problem. Maybe we can get users to re-authenticate to the browser before logging into such sites,” the Google documentation says.