If you are like a lot of people, someone has probably provoked you to use the password manager and you still have not consulted. Now, Chrome and Edge are coming to the rescue with beef-up password management built directly into the browser.
Microsoft on Thursday announced a new password generator for the recently released Edge 88. People can use the generator when signing up for a new account or changing an existing password. The generator provides a drop-down in the password field. On clicking on the candidate it selects as the password and saves it in the password manager built in the browser. People can then push the password to their other devices using the Edge Password Sync feature.
As I’ve explained over the years, the same things that make passwords memorable and easy to use are the same things that make them easier for others to guess. Password generators are among the most secure sources of strong passwords. Instead of thinking of a password that is truly unique and difficult to guess, users can instead properly create a generator.
Members of the Microsoft Edge team wrote, “Microsoft Edge provides a built-in strong password generator that you can use when signing up for a new account or changing an existing password.” “In the password field just leave the password suggested by the browser and when selected, it will automatically save in the browser and sync to the device for easy future use.”
Edge 88 is also rolling out a feature called “Password Monitor”. As the name suggests, it monitors saved passwords to ensure that none of them are included in lists compiled by website compromises or phishing attacks. When turned on, Password Monitor will alert users when a password matches online published lists.
Password checking is a difficult task. The browser must be able to check passwords against a large, ever-changing list without sending sensitive information or information to Microsoft, which may be perceived by someone monitoring the connection between the user and Microsoft.
In an accompanying post published on Thursday, Microsoft explained how to do this:
Homomorphic encryption is a relatively new cryptographic primitive that allows computing on encrypted data without first decrypting the data. For example, suppose we are given two ciphertexts, one encrypting 5 and the other encrypting 7. In general, there is no point in “adding” these ciphertexts together. However, if these ciphertexts are encrypted using homomorphic encryption, there is a public operation that “adds” these ciphertexts and returns an encryption of 12, a sum of 5 and 7.
First, a hash of client credentials communicates with the server to obtain H, where H denotes a hash function that only the server knows. It is possible to use a cryptographic primitive, known as an Oblivious Pseudo-Random Function (OPRF). Since only the server knows the hash function H, the client is prevented from performing an efficient dictionary attack on the server, a type of brute force attack that uses a large combination of possibilities to determine the password. The client then uses homomorphic encryption to encrypt H (k) and send the resulting ciphertext Enc (H (k)) to the server. The server then evaluates a matching function on the encrypted credential, receiving encrypted (True or False) results under the same client key. The matching function operation looks like this: ComputeMake (total (k), d). The server forwards the encrypted result to the client, who decrypts it and receives the result.
In the above framework, the main challenge is when this function is evaluated on encrypted data, minimizing the complexity of the computeMatch function to achieve good performance. We have used several optimizations to achieve performance that measures the needs of users.
This week members of the Google Chrome team did not disclose their own password protection. Chief among them is a Fuller-featured password manager built into the browser.
Members of the Chrome team wrote, “Chrome may already prompt you to update your saved password when you log into websites.” “However, you want to easily update multiple usernames and passwords in one convenient place. That’s why starting in Chrome 88, you can add all your passwords to the Chrome settings on desktop and iOS even more quickly and easily. (Chrome’s Android app will get this feature soon). “
Chrome 88 is also making it easy to check if any saved passwords are wound up on a password dump. While password auditing came to Chrome last year, the feature can now be accessed using security checks similar to those shown below:
Many people are more comfortable using a dedicated password manager because they provide more capabilities than those baked in their browser. Most dedicated managers, for example, make it easy to use dice words in a secure way. The line between browsers and password managers begins to blur, it is only a matter of time until browsers offer more advanced management capabilities.