Chrome makes new password grab in version 34 Google has announced that Chrome 34 is now stable enough to be promoted to the Stable Channel. In a few days it will therefore become the default version for millions of users. Most of the updates to the browser are anodyne: there are 30-odd security fixes, a new look on Windows 8 and what Google labels “Lots of under the hood …
@Lars - fine, then switch it off. Personally I choose convenience over a (slight) risk in security. That's my choice and you can have yours. What's the problem?
What I really don't like is the site - even somewhere like the Open University - forcing me to type the bloody password every time, when I would rather not bother.
" Nobody should use a browser that is made by people who don't support freedom of expression."
I'm about to put all my computers in a skip, I am now ashamed to use any tech, any more.
Most of my clothes will also go, my pushbike, my car, I won't be eating anything either.
I refuse to acknowlede the existance of the ISS or NASA.
I am ashamed to have ever bought anything in my life, ever.
I don't even know why I'm even typing this using a box of chips that has been made using the blood of newborn babies and fluffy bunnies.
What sort of closeted, isolated Shangri-La do you live in?
"No there isn't. Nobody should use a browser that is made by people who don't support freedom of expression."
The CEO responsible for that was fired the other day.
Do try and keep up.
Or was that sarcasm? If so, for future reference, please remember to use "/sarcasm" tag. Thank you.
quote:
That means that even if users turn off Chrome's feature that collects and automatically enters their login credentials to web services, the browser will nonetheless make the offer to do so.
/quote
NO, that's not what it means, you totally misunderstood the change... if the user turns off the password manager then it stays off.
This change affects only when a web SITE specifies the parameter autocomplete=off on a password input field, the browser will ignore that and instead will use the USER's preference instead of the SITE's preference: if the user has the password manager enabled then it will use that for autocomplete. If the user has disabled the password manager then it stays disabled.
@G2
This change affects only when a web SITE specifies the parameter autocomplete=off on a password input field, the browser will ignore that and instead will use the USER's preference instead of the SITE's preference: if the user has the password manager enabled then it will use that for autocomplete. If the user has disabled the password manager then it stays disabled.
So Google, and apparently you, think that it is OK to break W3C HTML5?
quote:
So Google, and apparently you, think that it is OK to break W3C HTML5?
/quote
on the contrary, this behavior is mandated by the W3C HTML principles:
http://www.w3.org/TR/html-design-principles/#priority-of-constituencies
what's happening is that all the OTHER browsers are breaking the HTML design principles by forcing a user to do what a site wants (disabling the autocomplete) instead of prioritizing the user's wishes. In this case Chrome might be the first browser to actually comply with the W3C principles.
Now.. the problem here is that while browsers come with password managers and they ask the user if they want to save the password, a lot of people will click "yes" without thinking...
What the browser designers should have done instead of just blindly clicking on a "yes" button is forcing the user to think when they save a password.
Instead of just clicking that button they should be presented with a more puzzling challenge, e.g. solving a captcha or typing the "yes" answer themselves.
This post has been deleted by its author
Also, does Chrome store your passwords in the cloud so you can access them from anywhere? While I certainly hope they don't, nothing would surprise me.
If you have browser sync enabled Chrome copies your favourites, and autocomplete to a hidden file in your Google Drive, then if you log into Chrome from a different computer your settings are copied to that browser.
I knew it did the favourites, but I wasn't aware it synced autocomplete until I installed Chrome on a new PC at the weekend.
I'm not sure if I like this idea or not, depends who secure the encryption is on Google Drive
From the spec itself*:
"A user agent may allow the user to override an element's autofill field name, e.g. to change it from "off" to "on" to allow values to be remembered and prefilled despite the page author's objections, or to always "off", never remembering values. However, user agents should not allow users to trivially override the autofill field name from "off" to "on" or other values, as there are significant security implications for the user if all values are always remembered, regardless of the site's preferences."
In other words, google are following the spec to the letter on this one.
*source http://www.w3.org/TR/html51/forms.html#attr-fe-autocomplete
This post has been deleted by its author
I don't mind it installing itself as a service on my main machine after asking permission.
What I do mind is it automatically installing itself onto every other machine I had Chrome on...HTPCs/servers etc.
Simpler to just uninstall than faff about in settings. Chrome was good for giving the competition a kick up the arse...but these days it has no benefits over them, and a major downside (i.e. constantly having to be on your guard for 'new features' that are hooking you deeper into the googleplex). No thanks.
Can't comment on the latest version of Opera as it isn't available on Linux where I spend most of my time, but it's been getting a lot of unfavourable comments in their forums.(Bookmarks in particular.) I'm looking at moving away from Opera because 12, while being nice to use, tends to stall on a lot of pages at the last element and it tends to go mental if I want to look at Flash stuff. Don't like the feel of Chrome and Midori, which I had hopes for, puts massive black borders around any text entry fields if you have the wrong theme (GTK?) selected. Looks like it's going to be Firefox for me all the time soon, though I've never really been a fan. Probably gonna ditch Kontact too, in favour of Thunderbird. Because Akonadi is *sooo* great.
...to storing passwords somewhere, I just don't think that place should be the browser. It seems way too public a place to store them, both against external and, um... potential domestic threats, even encrypted behind a "master password". If I ever start using stored passwords, they should at the very least be auto-typed from my phone or another personal physical token - obviously, a challenge-based approach would be better than typing in a plaintext password but I have no idea how that could be achieved with the currently ubiquitous login boxes.
Well, I already know someone who's putting together a devastatingly simple and deliciously geeky thing. It involves an Arduino, a keypad, a chopped up USB cable, and enough code to say "oh hello computer, I am a keyboard."
Tap a PIN on the keypad. The Arduino fires a password over the USB cable. Magic password storing box. Tada.
Unsure. If I remember right, the idea of this thing is to use the URL, some other information and a salt to construct a hash, so you get a unique password for every site, without having to even make up a password.
The person I'm on about is a commentard here, so if they see this message, I'm sure they'll elaborate.
No reason not to do it yourself though, as I'm sure you'd agree. Even if it's been done before it's much easier to learn about programming if you have something to program. Exercises from textbooks or whatever are good, but something you actually want is better :)
This post has been deleted by its author
Well, I wasn't going for quite that. It displays the password on a small screen to type in. The trick is that the device doesn't have a master password as such - it has no persistent storage at all.
1. Enter 'master password'
2. Enter name of site.
3. Device outputs a printable-character representation of a truncated sha1 of whatever you just typed in.
Thus no worry about losing the device, and no possibility of someone cracking it somehow if they steal it. Every site gets a unique password.
So if your master password gets compromised then anyone anywhere will be able to work out the passwords to any sites you use?
If you forget the master password you lose access to all sites?
If you wish to change your master password you have to change the password on every site you've ever used?
You have to keep the device with you wherever you go?
You would have to type whole URLs and Master Password onto - i presume a small keyboard every time you want to visit a site?
Surely - KeePass or similar would be far easier.
I became more paranoid a few months ago and started using a password safe which can also generate passwords. Before this my passwords were pretty much the same with some variations. It's a pain when you want to logon somewhere where you can't open the safe but ill deal with it.
The ammount of credentials cached by browsers and their ease of access was rather straight forward. To easy for my liking. I'll keep avoiding Chrome thanks.
How is this in any way evil? It follows the W3C spec which says a user should decide whether to honour the autocomplete field. It also gives you the option of turning this off for this one site or all sites.
Anyone who doesn't want Google to store their passwords doesn't have to (any it is simple for even non-tech literate users to do this) but for people who do this it stops them having to use easy to remember passwords or write them down.
"That means that even if users turn off Chrome's feature that collects and automatically enters their login credentials to web services, the browser will nonetheless make the offer to do so."
Are you sure? Or does it mean that Chrome will offer to remember passwords for fields that have the autocomplete=off attribute set *by the server*, just like Safari does (if you toggle a setting).
Websites that force you to type in long secure unique passwords in over and over again should be shot and killed.
Then taken outside and shot and killed again.
If I want to use a tool to store long strong and unique passwords, then one is a web dev dick trying to stop me.
+1 for Chrome and google doing this.
I wish they had brought the Password Generator along too, I found it so much simpler in the BETA to be able to generate a complex random password directly using Chrome, and Google of course would automatically save the password it had generated. Despite what other people think, providing their Google account is using 2 factor auth - having Chrome generate a unique random password for every site is a most convenient way to stay secure on the web, knowing that if a site gets hacked - the password they may have for your account applies to that site only.
Means I can finally remove the auto-complete extension I've been using for the last few years to do exactly just this due to too many sites abusing this option.
Also means Chrome becomes a little more compliant with the W3C HTML specs.
Whilst I can understand Banking sites etc. using this, (and I'll continue to select not to remember on those sites), so many other sites use this option, when they have no good reason to do so (such as sites that don't deal with real money etc).
Putting the User back in control, which is kind of the point with HTML.
To be honest, I think this is sensible. I am a grown up adult, it is for me to decide what I choose for the browser to remember, not a website developer working on the website in question. It is their job to adhere to best practices in designing the form, my choice if I choose to override them. I generally get pissed off when some low level site I don't really care about forces me to enter a password every time and will not remember it (and neither would the browser currently). If I think its worth the risk for what that website stores, then thats my choice.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
