Google launches native Android Smart Lock password manager Android users will be able to store passwords in Google's native Smart Lock manager, in a security boon for the masses. The Choc Factory launched the Smart Lock for Passwords at the I/O conference in San Francisco overnight available in the Android M developer preview. It says developers including Orbitz, Netflix, and The New …
Because it's only one step away from automatically filling in the password field for you on each site.
That means that an individual site failure doesn't compromise all your passwords. There is still a possible weakness in the chocolate factory to worry about, but this is a good first step towards better passwords, and lower reuse.
If someone is targetting my device then yes, they get my passwords - but that's no different from the situation now. What this does mean is that another moonpig doesn't compromise 3 million people's gmail, facebook and banking passwords...
If they do it right then someone gaining access to your phone does not necessarily mean having them gain all of your passwords. Right now my existing password manager logs out on a timeout requiring a new master password login before it will fill passwords again.
No reason the built in version can't do the same (timeout)...
but that's just a second password - WIWTF with the passcode/pattern/word that you log in with.
Or is it actual two factor with the biometric - oh, no that's be an option along with the passcode, so fractionally weaker than WIWTF...
Google I/O Android users will be able to store passwords in Google's native Smart Lock manager, in a security boon for the masses.
No, it's a security boon for whoever has access to that partition, and in that aspect I wouldn't trust Google with the code to a locker full of aged sweaty socks.
Give all your passwords to facilities offered by a company that is (a) US based and (b) mainly engaged in gathering information about people, often in defiance of local laws? Really? Surely you forgot the "joke" icon?
Not today, thank you.
The Chrome web browser already has a password manager. I don't know if it syncs between devices, but if it does, your passwords are in the cloud.
Windows has the Credential manager in the Control Panel which picks up saved passwords from IE and syncs them across your domain accounts.
The problem with absolutes like that, is you can end up losing out moving forwards. It's not right. It's not fair. But shit happens.
If you accept (as I do) that the worst outcome possible is to have a single password you use everywhere, then the risk of storing them in a cloudy vault must be lower ? Maybe not much. But enough to justify the notion. Although I am well aware of the dichotomy of having a single password to access all your passwords ...
I wonder how much involvement the law enforcement agencies have with cloud password offerings. Not from a tinfoil hat perspective - quite the opposite. It's in their interests to ensure cloudy passwords stay safe. Imagine if Lastpass had a hack, and admitted that 100s of 1000s of users had their logins snaffled. How many court cases would be lost to the reasonable doubt when the defence claim their client didn't do it, as all their logins were stolen ......
So the real story is that Google has announced the "Credential API" - a proprietary Android only(?) interface that it hopes developers will standardise on and hence simply the input of credential information into web pages. Currently, password applications have to 'read' the webpage to discover the relevant credentials fields being used by a particular site/application.
Can't see this really impacting existing password store vendors in the short-term because the API is just a small but key part of their product offering. Interestingly, if this interface takes off I can see an explosion in malware that attempts to hook calls using this interface.
Uh hu.. does this mean we'll be able shut down all the Google stuff?
Thought not.
I guess you had to say such things. Otherwise, you'd have to change your moniker.
As it stands, you can already shut down the Google stuff by disabling the apps, though there are consequences to phone functionality. I would expect the same result with the new app permission controls.
"Google announced other initiatives to tighten security screws including the ability to approve or decline specific app permission requests, rather than the present all-or-nothing approval process."
"HUZZAH" anyone?
Ah, catching up with iOS I see (evil grin)..
If these keys are controlled by the same mechanisms that can't even securely erase critical data, then this feature merely provides a more convenient location for the keys to be recovered from.
Google needs to fix Android security, not release Apps that give people a false sense of security.
The passwords will be stored on Google's servers so that you can acess them from any Googley device, therefore all passwords will be in one place, handy for security services to access, by warrant or not. I would expect this storage to hold your encrytion keys too so all your encrypted communications can be decrypted on demand, thereby negating the need for anti encryption laws and Goct arguments that encryption only helps terrorists.
I'm surprised by people willingness to rely on one company to provide so many services and not stopping to think what that company is getting out of it, how the company is paying for their empire or what they as individuals are paying for these 'free' trinkets.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
