Google Chrome Password Generator tosses logic in the trash

Feb 20, 2012
14
Google Chrome Password Generator tosses logic in the trash

There's a feature coming out in a future version of Chrome (either the browser or the OS or both) which will generate a password for you, one "impossible" for a human to remember, and sync that password across your Chrome account. The reason this method is terrible, I must explain, is that unless this generator also creates a password as long as the system will let it, it's actually just as easy for a machine to crack as one you'd be able to remember on your own, without Chrome's help. This system is made supposedly to keep human password crackers at bay, but the developers at Chrome don't seem to be taking into account that these humans generally don't use their knowledge of you to crack your secrets in the first place.

This also has some security and privacy issues tied to it, perhaps at the least opportune time for Google in its relatively short history, and isn't quite in play yet. Google is said to be working on this feature for the near future and will implement it only after extensive testing. As PCWorld's John P Mello Jr's exclusive source retells it:

"When a user visits a page that Chrome thinks is asking to set up an account, it will place a key icon in the password field of the registration form. If the person clicks on that key, Chrome will ask the user whether he or she wants it to create a password. If the user says yes, Chrome will generate a password that includes letters, numbers and characters that make it difficult for a hacker to crack and impossible for the user to remember — and ask the user to approve it.

Chrome asks the user to approve the password because it may not jibe with the rules established by the site for a proper password. That means a person may have to modify the password manually before accepting it.
Once the password is accepted, Chrome will sync it with the user’s other devices running the browser — provided the sync feature is activated for the person’s Chrome account." - Mellow

I must in this case direct you to a comic from XKCD which tells the story of the modern password in much clearer words and images than I could ever present:

Make sense? Google is going the right direction only if you want to continue to rely on your web browser to remember all of your passwords for you. Having them synced across your account to whichever iteration of that browser you happen to be using is fun, but also allows for more possibilities that "hackers" will simply be able to pick up any one of your devices and not need your password to get to your accounts - as they're already automatically entered in.


Must Read Bits & Bytes