Chrome and Edge want to help you with that password problem of yours | GeekComparison

Please don't do this.
enlarge / Please don’t do this.

Getty Images

If you’re like many people, someone probably nagged you to use a password manager and you still haven’t followed the advice. Now Chrome and Edge come to the rescue with improved password management built right into the browsers.

Microsoft announced a new password generator for the recently released Edge 88 on Thursday. People can use the generator when signing up for a new account or when changing an existing password. The generator provides a drop-down list in the password field. By clicking on the candidate, it will be selected as a password and saved in a password manager built into the browser. Users can then have the password pushed to their other devices using the Edge password sync feature.

As I’ve explained for years, the same things that make passwords memorable and easy to use are the same things that make them easy for others to guess. Password generators are among the most secure sources of strong passwords. Instead of having to come up with a password that is really unique and hard to guess, users can have it done by a generator instead.

“Microsoft Edge offers a built-in strong password generator that you can use when you sign up for a new account or when you change an existing password,” wrote members of Microsoft’s Edge team. “Just search for the password suggested by the browser in the password field and if it is selected, it will be automatically saved in the browser and synced across devices for easy future use.”

Edge 88 also introduces a feature called the “password monitor.” As the name suggests, it checks saved passwords to make sure none of them are included in lists built on the basis of website compromises or phishing attacks. When enabled, the password monitor notifies users when a password matches lists published online.

Checking passwords securely is a difficult task. The browser must be able to compare a password to a large, ever-changing list without sending sensitive information to Microsoft or information that could be sniffed by someone monitoring the connection between the user and Microsoft.

In an accompanying post also published Thursday, Microsoft explained how that’s done:

Homomorphic encryption is a relatively new cryptographic primitive that makes it possible to rely on encrypted data without decrypting the data first. For example, suppose we get two ciphertexts, one encodes 5 and the other encodes 7. Normally it makes no sense to “add” these ciphertexts together. However, if these ciphertexts are encrypted using homomorphic ciphers, then there is a public operation that “appends” these ciphertexts and returns an cipher of 12, the sum of 5 and 7.

First, the client communicates with the server to obtain a hash H of the reference, where H denotes a hash function that only the server knows. This is possible using a cryptographic primitive known as an Oblivious Pseudo-Random Function (OPRF). Because only the server knows the hash function H, the client is prevented from performing an efficient dictionary attack on the server, a kind of brute force attack that uses a large combination of possibilities to determine a password. The client then uses homomorphic encryption to encrypt H(k) and send the resulting ciphertext Enc(H(k)) to the server. The server then evaluates a matching function on the encrypted credential and obtains a result (true or false) encrypted with the same client key. The operation of the matching function looks like this: computeMatch(Enc(k), D). The server forwards the encrypted result to the client, which decrypts it and obtains the result.

In the above framework, the main challenge is to minimize the complexity of the computeMatch function to obtain good performance when evaluating this function on encrypted data. We have used many optimizations to achieve performance adapted to the needs of users.

Not to be outdone, members of the Google Chrome team unveiled their own password protections this week. Chief among these is a more comprehensive password manager built into the browser.

“Chrome may already ask you to update your saved passwords when you log in to websites,” Chrome team members wrote. “However, you may just want to update multiple usernames and passwords in one convenient place. That’s why, starting with Chrome 88, you’ll be able to manage all your passwords even faster and easier in Chrome settings on desktop and iOS (Chrome’s Android app will get this feature soon).

Chrome 88 also makes it easier to check if saved passwords have ended up on password dumps. While password checking came to Chrome last year, the feature can now be accessed with a security check similar to the one below:

google

Many people feel more comfortable using a dedicated password manager because they offer more options than those baked into their browser. For example, most dedicated managers make it easy to use dice in a safe way. With the line between browsers and password managers starting to blur, it’s probably only a matter of time before browsers offer more advanced management capabilities.

Leave a Comment