When a user visits a page that Chrome thinks is asking to set up an account, it will place a key icon in the password field of the registration form. If the person clicks on that key, Chrome will ask the user whether he or she wants it to create a password. If the user says yes, Chrome will generate a password that includes letters, numbers and characters that make it difficult for a hacker to crack and impossible for the user to remember — and ask the user to approve it.
Chrome asks the user to approve the password because it may not jibe with the rules established by the site for a proper password. That means a person may have to modify the password manually before accepting it.
Once the password is accepted, Chrome will sync it with the user’s other devices running the browser — provided the sync feature is activated for the person’s Chrome account.
Google thinks its idea is a good one because if a person doesn’t remember his or her password, then it can’t be given away to phishers and other Net lowlifes.
Google’s ultimate goal is to have browsers authenticate a user’s identity. That would be done through a browser sign-in and something called OpenID. “While implementing browser sign-in is something that we can control, getting most sites on the Internet to use OpenID will take a while,” it said in a company blog. “In the meantime it would be nice to have a way to achieve the same affect of having the browser control authentication.”
“Currently you can mostly achieve this goal through Password Manager and Browser Sync, but users still know their passwords so they are still susceptible to phishing,” it continued. “By having Chrome generate passwords for users, we can remove this problem.”
Nevertheless, Google acknowledges that users may actually want to see their passwords from time to time, even if they can’t remember them. So in conjunction with the new password manager/creator, it’s mulling over creating a secure website where users will be able to see, and possibly print, the passwords.
Google also admits the new manager will face several challenges. For example, only accounts created after the feature is released will be included in the password archive.
If a site has disabled filling in passwords automatically, it added, the feature won’t work. In some cases, as with certain Microsoft sites, even if autofill is enabled, the manager won’t recognize the registration form.
Another potential danger of using a unified scheme like this is that all your passwords are stored in a single place. If someone cracks a user’s Chrome account, they would have immediate access to all that person’s passwords.
In addition, if a user accesses a site from a device that’s not their own or a browser that’s not Chrome, that person is going to have to remember that jumble of letters, numbers and characters.