14 DAY TRIAL // Google is working on a very interesting project for Chrome, an enhanced password management feature which will be able to generate strong random passwords to use when signing up for a new service. The idea is to enhance security by, on the one hand, providing users with stronger passwords, and, on the other, eliminating password reuse so even if one password is compromised, this won't affect other accounts.
"Chrome's long term solution to this problem [password insecurity and reuse] is browser sign in plus OpenID. While implementing browser sign in is something that we can control, getting most sites on the internet to use OpenID will take a while," Google wrote.
"In the meantime it would be nice to have a way to achieve the same affect of having the browser control authentication. Currently you can mostly achieve this goal through Password Manager and Browser Sync, but users still know their passwords so they are still susceptible to phishing. By having Chrome generate passwords for users, we can remove this problem," it added.
The idea is solid, if not exactly original, but there are a few problems with the design of the feature at this stage. Currently, Google plans to implement a password generator that will create a strong random password every time the browser detects a sign up page, for example if it sees two password fields.
Google acknowledges that some sites have certain requirements for the passwords, some require the use of numbers, for example, other may forbid certain characters or passwords that are too long or too short.
However, there doesn't seem to be a way to customize the generated password at this point, even though you can request a new suggestion from Chrome.
Google seems to think that, if users don't know their passwords, they won't be able to forget them or provide them to some phishing site. The problem with that thinking is that there are times when users do need to know their passwords.
On the one hand, as Google itself worries, Chrome doesn't store the passwords for all sites, some sites, online banking sites for example, request that browsers don't save the ID and password for security reasons. With no mechanism of storing the password once it's generated besides Chrome's existing password manager, there is the risk that the user will be locked out of a site.
On the other hand, users do browse the web outside of Chrome, surprising as that may be, in which case they would need a way of accessing their passwords. Google recognizes this as well and there is talk about a central website where users can manage all of their passwords.
It's all in the concept stage at this point and things are still being fleshed out. But if any of this looks familiar, it's because there are already several tools that offer the same functionality, notably Lastpass which offers a customizable password generator, a central management website, browser plugins and mobile apps.