Back in July Microsoft researchers suggested that simple passwords may be suitable for the majority of user accounts, based around their studies which showed the majority of users still preferred to recycle the same ridiculously simple login credentials everywhere they go on the web.
And that’s despite the fact that password managers, which can be used to generate complex and nigh on impossible to guess passwords, are widely available and often at a price point no-one can refuse (that means free).
So why is that?
Is it a failing within the infosec profession if people can’t get something so basic right? Maybe. But I tend to think of it more along the lines of laziness/convenience – users with old and bad habits don’t want to change. They don’t want to remember lots of passwords because, lets face it, that’s tricky. And they may not have even heard of a password manager, or at least not looked into them enough to realise what they can offer.
The times they are a changing though. Or at least they may be.
And that’s because Google might be muscling in on the password management business via it’s Chrome browser, if the latest developmental build is anything to go by.
The latest experimental version of Chrome, known as Canary, can be updated with Google’s updated password manager by typing the following into your address bar:
Once installed, you can use the password generator whenever you sign-up on a website.
According to Google’s Francois Beaufort, the user will be offered a “strong and pronounceable” password whenever they encounter a password field across the web:
“As soon as you focus the password field, a nice overlay will suggest you a strong and pronounceable password that will be saved in your chrome passwords. For info, Chromium uses a C library² that provides an implementation of FIPS 181 Automated Password Generator (APG). “
Once entered, the new password will be added to your Google saved passwords, in much the same manner as a regular password manager.
Whether the experimental feature will make it into the next stable version of Chrome remains to be seen but I think it unlikely. It could however make an appearance in the not too distant future which could prove a little tricky for existing password managers such as KeePass and LastPass.
Knowing how many users value convenience over security, I suspect they will choose Chrome’s built-in password management over third party alternatives. Or at least they would if they could stop using “password1” for everything.