The Web Browser as the Ultimate Password Manager
We are notoriously bad at password hygiene. Yet, it is crucial for our digital lives. How many of us managed to convince our friends and family members to use a strong and unique password for every service which they use? How about the grumpy response when you suggest them to always use a password manager for everything?
Unfortunately, this problem is not going away anytime soon. The good news is, it is likely that a web browser which we already use everyday is going to solve our problem. My prediction is that every web browser will expand its functionality to be your ultimate, ubiquitous, and secure password management tool.
How is it possible? Well, let us take a look at all major functionalities offered by a password manager, if such a password manager wants to be successful.
First, it has to store the passwords securely (very obvious, isn't it?).
Second, it must synchronizes those passwords across different browsing sessions, perhaps also across different devices. Imagine that you sign up for Airbnb on its website, and then book a vacation house for your next trip. While you are on the road, ready to relax and enjoy your vacation, you probably need to open Airbnb website again on a different computer or even use the Android/iOS app of Airbnb. It will be quite a hassle if you can not retrieve your Airbnb password since it was only tucked nicely inside the laptop you have left at home.
Third, it should generate a password for you. Human is not good at choosing a strong secret, gravitating towards personal, discoverable things: the dog's name, birthday, spouse's name, favorite movie character, celebrity crush, etc. This is why a password strength estimator is important, but sadly not every registration form adopts it. And even with the Diceware approach, the barrier is just too much for normal mortals. However, the password manager can easily, and in fact it should always do that, offer a generated strong password at your disposal.
If you look at the above criteria, most major web browsers already implemented the first two. The users of the most popular web browser, Google Chrome, usually enjoy the ability to have its Chrome profile synchronized across different multiple devices, e.g. a personal laptop vs an Android phone. How about password generation? Fortunately, Google now starts the experimentation of this feature on the latest Chrome Canary. It is currently based on FIPS 181, but that NIST standard has been obsoleted so hopefully we will see an up-to-date implementation.
When this password generation feature is finally deployed to the stable version of Chrome, millions of Internet users will have one less reason to use a weak password or even to reuse the same password over and over again. That is a very good thing! I am not surprised if this also means that Microsoft will push the same feature to its Edge browser, as well as Apple with its Safari browser.
But what about native mobile apps? Well, once your passwords are securely stashed and synchronized by the browser, it is a matter of a tight integration with the application framework. On Android, Google is already heavily advocating for Smart Lock for Passwords. Many popular Android apps, from Netflix to Airbnb, already started to adopt this approach. Try to login to Airbnb on Chrome for desktop, have the password saved and synchronized, and now launch Airbnb app on your favorite Android. Voila! The app will offer to automatically sign you in, using the credentials synchronized from your Airbnb on desktop Chrome. It is a seamless experience, you do not even to have to remember nor type that long password anymore.
I am optimistic that the era of worrying about weak secrets and scrambling to copy/paste unmemorable phrases will be long gone. Safeguarding our digital lives should be a pleasant experience!
Director at cybernetic sapiens inc.
6 年No Cloud For Old Men ... i do not trust the cloud or any browser ... for me Open Source desktop KeePass is my goto (sic) password safe.?https://keepass.info/ Ariya, i think we humans can make strong passwords,??NoCloudForOldMen gets a 77 bit quality rating from KeePass. Many homo sapiens let browsers store passwords but leave their desktop and mobile devices unsecured—gain access to a device, access a password protected website such as a bank account, change that password, then while the owner of that bank account sleeps, drain her/his account. imho the best password protection is to change passwords frequently. For me, when a browser asks to save a password, i say never and then whenever possible, i tell that browser not to ask me again. caveat:? i will put a KeePass data store in the cloud—but i will pull it down and update it locally.
Monetization and Engineering at Coda
7 å¹´I've personally started using 1Password, which has pretty solid integration with Chrome and native Android apps. Definitely recommend!
Currently building...
7 å¹´" I am not surprised if this also means that Microsoft will push the same feature to its Edge browser, as well as Apple with its Safari browser." Safari has had this feature since 2013 (https://www.macworld.co.uk/news/mac-software/hands-os-x-mavericks-safari-icloud-keychain-3457530/). I'm looking forward to all the major browsers having this feature and installing one less utility.
Working on hardware telemetry, manageability and virtualization on a daily basis and collaborating with a bunch of awesome engineers.
7 å¹´What about different approach? Secure impersonation token. Each pair of trusted services shares symmetric encryption key. Rather than sending password, we just send time sensitive impersonation token to a service we need to access. If the symmetric key is compromised, just revoke and regenerate a new one for the pair. A bit simplistic but storing and exchanging password with high possibility of breach and compromise is just as bad as writing password on sticky notes.
Empowering Aspiring Software Engineers | Expert in Coding, Development, and Career Growth
7 å¹´What I am very worried is a bad guy can hack into Google accounts themselves (or any password manager) and then get access to all sites and apps. Social engineering works big time.