Google Password Generator in the Works

Google is in the process of developing a tool to help users generate strong passwords for the various and sundry Web sites for which they need to register and authenticate. The password-generator is meant to serve as an interim solution for users while Google and other companies continue to work on widespread deployment of the OpenID standard.

Google passwordsGoogle is in the process of developing a tool to help users generate strong passwords for the various and sundry Web sites for which they need to register and authenticate. The password-generator is meant to serve as an interim solution for users while Google and other companies continue to work on widespread deployment of the OpenID standard.

The tool that Google engineers are working on is a fairly simple one. For people who are using the Chrome browser, whenever a site presents them with a field that requires a password, Chrome will display a small key icon, letting the users know that they could allow Chrome to generate a password for them.

“Detecting when we are on a page that is meant for account sign up will be most of the technical challenge. This will likely be accomplished via heuristics (i.e. there is an account name field and two password fields). If we determine that this is a signup page, then we will add a small UI element to the password field. If the user clicks on this element, we will pop up a small dialogue box next to field asking the user if they would like Chrome to manage this password for them,” the project page on Chromium Projects says.

“If they accept the prompt then we pop up a small box which is prepopulated with what we think is an acceptable random password. The reason we don’t just choose a password for them is that many sites have requirements (e.g. must have one digit, must be alphanumeric, must be between 6 and 20 characters) some of which may be contradictory between sites. So we will choose a default generator that will work on most sites, but users may need to change our password if it doesn’t work. We can skip this for sites that have ‘pattern’ set on the password field. Long term we can hopefully also gather some aggregate information from UMA users about the form of passwords they generated so that this whole process can be skipped for the vast majority of sites.”

Password management has become a major pitfall for many users in recent years as the number of sites that require authentication has exploded. As users have been required to register with more and more sites and services, including mobile apps and games, many of them have naturally tended to re-use passwords and use weak or easily guessable ones. This has been a boon for data thieves who, after stealing a database of usernames and passwords from one retailer or Web site, find that they often can compromise any number of other accounts belonging to those victims simply by re-using the passwords. 

A variety of services and products have emerged to help address the problem of password generation and management, including applications that will generate random passwords or store existing passwords in an encrypted form. But the problem has persisted.

Google’s password generator, which is in the development stage, won’t be able to protect users in every scenario. It’s meant for use in situations where users are signing up for a new service or need to set a new password. In situations where a user is simply signing in to an existing account, it won’t be of use. It also may not protect against a majority of phishing sites.

“Any website that has autocomplete turned off will not be able to be protected. Going by current phishing attacks, this means that 40-70% of phishing pages can’t be protected against. Once this feature is rolled out we probably want to see if we can get around this problem. Maybe we can get users to re-authenticate to the browser before logging into such sites,” the Google documentation says.

Suggested articles

Discussion

  • Anonymous on

    why do I not feel comfortable having Go Ogle create my passwords for me?

  • Anonymous on

    you're smart?

  • Anonymous on

    What we need is for sites to start accepting client side ssl certificates. Passwords are archaeic.

  • Anonymous on

    xkcd.com already has a better solution than this endlessly propogated tripe.

    Correct Horse Battery Staple!  

  • Anonymous on

    Given Google's recent privacy fiascos I think I will stay away from this thing.

  • Jake on

    What's the point? people will write down the chosen password on their notebook

  • Anonymous on

    Here's a hint

    % openssl rand -base64 12
    zExRWjdAZ/lwFe2n
    %

    repeat that few times and pick what you like, wasn't too hard really. Use a separate password manager to manage generated passwords. A bit of effort, yes, but not completely bogus once you get used to it.

    It's true that passwords are archaic and certificates would be better, certificates were they client side or server side are not without any problems either. See EFF SSL Observatory, Convergence Beta and Perspective projects what's up.

  • Anonymous on

    I'll pass on letting Gizznoogle choose and store my passwords.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.