Getty Images
If you’re like a lot of people, someone probably insisted you use a password manager and you still haven’t listened to the advice. Chrome and Edge are now coming to the rescue with enhanced password management built right into their browsers.
Microsoft announced on Thursday a new password generator for the newly launched Edge 88. People can use the generator when signing up for a new account or changing an existing password. The generator provides a drop-down menu in the password field. Clicking on the candidate selects him as a password and saves him in a password manager built into the browser. People can have the password sent to their other devices using Edge’s password sync feature.
As I explained years ago, the same things that make passwords easy to use and memorable are the same things that make them easy to guess by others. Password generators are among the most secure sources of strong passwords. Instead of having to think of a password that is really unique and difficult to guess, users can have a generator to do this correctly.
“Microsoft Edge offers a built-in strong password generator that you can use when signing up for a new account or changing an existing password,” wrote members of the Microsoft Edge team. “Just look for the password drop-down list suggested by the browser in the password field and, when selected, it will be automatically saved in the browser and synchronized between devices for easy future use.”
Edge 88 is also launching a feature called “password monitor”. As the name suggests, it monitors saved passwords to ensure that none of them are included in compiled lists of website compromises or phishing attacks. When turned on, the password monitor will alert users when a password matches the lists published online.
Verifying passwords securely is a difficult task. The browser must be able to verify a password against a large, ever-changing list, without sending confidential information to Microsoft or information that can be detected by someone who monitors the connection between the user and Microsoft.
In a post also published on Thursday, Microsoft explained how this is done:
Homomorphic cryptography is a relatively new cryptographic primitive that allows computing on encrypted data without decrypting the data first. For example, suppose we receive two cipher texts, one encrypting 5 and the other encrypting 7. Normally, it makes no sense to “add” these encrypted texts. However, if these ciphertext are encrypted using homomorphic encryption, there is a public operation that “adds” these ciphertext and returns an encryption of 12, the sum of 5 and 7.
First, the client communicates with the server to obtain a H hash of the credential, where H denotes a hash function that only the server knows about. This is possible using a cryptographic primitive known as Oblivious Pseudo-Random Function (OPRF). Since only the server knows the H hash function, the client is prevented from executing an efficient dictionary attack on the server, a type of brute force attack that uses a wide range of possibilities to determine a password. The client then uses homomorphic encryption to encrypt H (k) and send the resulting Enc (H (k)) ciphertext to the server. The server then evaluates a corresponding function in the encrypted credential, obtaining a result (True or False) encrypted with the same client key. The operation of the match function looks like this: computeMatch (Enc (k), D). The server forwards the encrypted result to the client, who decrypts it and obtains the result.
In the structure above, the main challenge is to minimize the complexity of the computeMatch function to obtain a good performance when this function is evaluated in encrypted data. We use many optimizations to achieve performance that adapts to the needs of users.
Not to be outdone, members of the Google Chrome team this week revealed their own password protections. The main one is a password manager with more features built into the browser.
“Chrome can now ask you to update your saved passwords when you sign in to websites,” wrote the Chrome team members. “However, you may want to update multiple usernames and passwords easily, in one convenient location. That’s why starting with Chrome 88, you can manage all your passwords even more quickly and easily in Chrome settings on the desktop and iOS (the Chrome Android app will also receive this feature soon). “
Chrome 88 is also making it easier to check if any saved passwords ended up in password evictions. Although password auditing came to Chrome last year, the feature can now be accessed through a security check similar to the one shown below:
Many people are more comfortable using a dedicated password manager because it offers more features than those built into their browser. Most dedicated managers, for example, make it easy to use data words securely. With the line between browsers and password managers starting to blur, it’s probably only a matter of time before browsers offer more advanced management features.