Chrome and Edge want to help you solve your password problem

If you’re like a lot of people, someone probably tricked you into using a password manager and you still haven’t listened to the advice. Now Chrome and Edge come to the rescue with strong password management built right into browsers.

Microsoft announced a new password generator for the recent Edge 88 on Thursday. People can use the generator when creating a new account or when changing an existing password. The generator offers a drop-down list in the password field. Clicking on the candidate selects him as a password and saves him in a password manager integrated in the browser. Users can then send the password to their other devices using the Edge Password Sync feature.

As I’ve explained for years, the same things that make passwords memorable and easy to use are the same things that make them easy for others to guess. Password generators are among the most secure sources of strong passwords. Rather than having to come up with a really unique and hard-to-guess password, users can instead ask a generator to do it right.

“Microsoft Edge offers a built-in strong password generator that you can use when creating a new account or changing an existing password,” Microsoft Edge team members wrote. “Just look for the browser suggested password drop-down menu in the password field, and once selected, it will automatically be saved in the browser and synced between devices for easy future use.”

Edge 88 also deploys a feature called “password monitor”. As the name suggests, it monitors saved passwords to make sure none of them are included in lists compiled from website compromises or phishing attacks. When enabled, Password Monitor alerts users when a password matches lists published online.

Checking passwords securely is a difficult task. The browser should be able to verify a password against a large, constantly changing list without sending sensitive information to Microsoft or information that could be sniffed by someone monitoring the connection between the user and Microsoft.

In a companion article also published Thursday, Microsoft explained how to do this:

Homomorphic encryption is a relatively new cryptographic primitive that allows computation on encrypted data without decrypting the data first. For example, suppose we have two ciphers, one with 5 and the other with 7. Normally, it doesn’t make sense to “add” these ciphers together. However, if these ciphers are encrypted using homomorphic ciphers, then there is a public operation that “adds” these ciphers and returns a cipher of 12, the sum of 5 and 7.

First, the client communicates with the server to obtain an H hash of the credentials, where H denotes a hash function that only the server knows. This is possible by using a cryptographic primitive called OPRF (Oblivious Pseudo-Random Function). Since only the server knows the H hash function, the client is prevented from performing an effective dictionary attack on the server, a type of brute force attack that uses a large combination of possibilities to determine a password. . The client then uses homomorphic encryption to encrypt H (k) and send the resulting ciphertext Enc (H (k)) to the server. The server then evaluates a match function on the encrypted credentials, obtaining a result (true or false) encrypted under the same client key. The corresponding function operation looks like this: computeMatch (Enc (k), D). The server transmits the encrypted result to the client, which decrypts it and obtains the result.

In the above framework, the main challenge is to minimize the complexity of the computeMatch function to achieve good performance when this function is evaluated on encrypted data. We have used many optimizations to achieve performance tailored to user needs.

Not to be outdone, members of the Google Chrome team unveiled their own password protections this week. The main one is a more comprehensive password manager built into the browser.

“Chrome may already prompt you to update your saved passwords when you sign in to websites,” the Chrome team members wrote. “However, you may want to easily update multiple usernames and passwords, all in one convenient place. That’s why, starting with Chrome 88, you can manage all your passwords even faster and easier in Chrome’s settings on desktop and iOS (Chrome’s Android app will soon benefit from this feature). “

Chrome 88 also makes it easier to check whether saved passwords have resulted in password flushes. While password auditing arrived in Chrome last year, the functionality is now accessible using a security check similar to the one pictured below:

Many people are more comfortable with a dedicated password manager because they offer more features than those built into their browser. Most dedicated managers, for example, make it easier to use dice words in a secure way. With the line between browsers and password managers starting to blur, it’s probably only a matter of time before browsers offer more advanced management capabilities.