Google is adding to its palette of identity projects with a new password generator project for its Chrome browser.
The goal is to have the browser generate strong passwords to help users thwart phishing, malware and other attacks. Google is looking at browser sign-in as a stopgap measure until OpenID is widely accepted on the Internet.
The OpenID Connect specification, which is currently in an “implementer’s draft” and undergoing interop testing until the end of February, is a standard that outlines a consumer-grade authentication credential for use across Web sites.
Today, a combination of Chrome Password Manager and Browser Synch provides a browser sign-in, but users are still susceptible to phishing because they know the passwords they have entered in the Password Manager.
Google says the generator eliminates the phishing vulnerability by logging the auto-generated passwords into the Password Manager.
Long term, Google says the project could lead to the capability of changing all of a user’s passwords if it is detected their account has been hacked.
The generator is but one of many ways Google is attempting to eliminate passwords. There is a collective mindset in the industry around doing away with passwords, which are notoriously weak or re-used.
A slew of recent hacks that harvested passwords, from Sony to Zappos to YouPorn, have repeatedly shown users still think “12345” and “Password” are acceptable options. And it’s not just everyday Joes, Syrian president Bashar al-Assad was hacked by the group Anonymous, which revealed the password “12345” was not only used by al-Assad but by a number of members of the Syrian Ministry of Presidential Affairs.
The password generator project adds a small button to a website’s registration page. The button is used to generate a strong password. The user can opt to use the Chrome generated password or enter one they devise.
Google does not automatically choose the password because its technology cannot detect rules for password composition, such as required capital letters, symbols or numbers.
The company says one technical challenge will be automatically detecting registration pages as a user surfs the Internet. Another challenge centers on websites that don’t allow auto-fill. Without that capability, the generator cannot enter the generated password in a Password Confirmation field.
The generator is only for devising new passwords and not for sites where the user already has a password, although Google says the generator could be used for password changes.
Google also will give users an option for secure password storage (protected by Captcha or strong authentication) on a secondary Web site when web surfers are not using Chrome.
The generator project is but one of a handful of ID projects Google is working on.
It’s Street Identity project announced in November is a collaboration with mobile provider Verizon, attribute exchange service ID/Webdata, and trust framework provider Open Identity Exchange (OIX). The goal is to collect user attributes from a number of sources in order to more accurately identify a user.