If you’re like a lot of people, you’ve probably been teased about using a password manager and haven’t listened to the advice yet. Chrome and Edge now come to the rescue with improved password management built directly into browsers.
Microsoft announced a new password generator for the recently released Edge 88 on Thursday. People can use the generator when signing up for a new account or when changing an existing password. The generator provides a drop-down menu in the password field. Clicking on the candidate selects it as a password and saves it in the browser̵
As I’ve been explaining for years, the same things that make passwords memorable and easy to use are the same things that make them easy for others to guess. Password generators are among the most secure sources of strong passwords. Instead of having to come up with a password that is truly unique and difficult to guess, users can instead get the generator to do it right.
“Microsoft Edge offers a built-in strong password generator that you can use when you sign up for a new account or when you change an existing password,” wrote members of Microsoft’s Edge team. “Just look for the drop-down menu suggested by the browser in the password field, and when selected, it will automatically be saved in the browser and synchronized between devices for easy future use.”
Edge 88 also launches a feature called “password monitor”. As the name suggests, it monitors saved passwords to make sure none of them are included in lists made up of website compromises or phishing attacks. When enabled, the password monitor will alert users when a password matches lists posted online.
Checking passwords in a secure way is a difficult task. The browser must be able to check the password against a large, ever-changing list without sending sensitive information to Microsoft or information that can be sniffed out by someone who monitors the connection between the user and Microsoft.
In an accompanying post, also published Thursday, Microsoft explained how to do this:
Homomorphic encryption is a relatively new cryptographic primitive that allows the calculation of encrypted data without first decrypting the data. Suppose, for example, that we are given two ciphertexts, one encrypting 5 and the other encrypting 7. It usually makes no sense to “add” these ciphertexts together. However, if these ciphertexts are encrypted using homomorphic encryption, then there is a public operation that “adds” these ciphertexts and returns an encryption of 12, the sum of 5 and 7.
First, the client communicates with the server to obtain an H hash of the credentials, where H stands for a hash function that only the server knows. This is possible using a cryptographic primitive known as the Observational Pseudo-Random Function (OPRF). Because only the server knows the H hash function, the client is prevented from performing an effective server dictionary attack, a type of brute force attack that uses a large combination of password-setting capabilities. The client then uses homomorphic encryption to encrypt H (k) and send the resulting Enc ciphertext (H (k)) to the server. The server then evaluates the corresponding function of the encrypted credentials, obtaining a result (True or False) encrypted under the same client key. The operation for the matching function looks like this: computeMatch (Enc (k), D). The server forwards the encrypted result to the client, which decrypts it and receives the result.
In the above framework, the main challenge is to minimize the complexity of the ComputeMatch function to obtain good performance when this function is evaluated on encrypted data. We’ve used many optimizations to achieve performance that adapts to user needs.
Not to be outdone, members of the Google Chrome team unveiled their own password protections this week. Chief among them is the more functional password manager, which is built into the browser.
“Chrome may now prompt you to update your saved passwords when you sign in to websites,” wrote members of the Chrome team. “However, you may want to update multiple usernames and passwords easily, in one convenient place. That’s why, starting with Chrome 88, you can manage all your passwords even faster and easier in Chrome’s desktop and iOS settings (Chrome’s Android app will also get this feature soon). “
Chrome 88 also makes it easy to check if a saved password has been reset when discarding passwords. By the time the password audit came to Chrome last year, the feature can now be accessed through a security check similar to the one shown below:
Many people feel more comfortable with the help of a special password manager, as they offer more features than those baked in their browser. Most dedicated managers, for example, make it easier to use dice words in a safe way. As the line between browsers and password managers begins to blur, it’s probably only a matter of time before browsers offer more advanced management capabilities.