Chrome’s new password manager stops you from using the same password for every website

Google is releasing an entire new design for Chrome today with new features and tweaks to the browser’s overall appearance. You can read more about the redesign here, but one of the big new features is an improved password manager. Chrome will now offer to automatically generate a random password when you sign up to websites for the first time. This password will be stored inside a Google Account securely and synced across desktop and mobile versions of Chrome.

This should stop regular Chrome users from always picking the same password for each site, and ultimately ending up with a security headache if a site is breached. Chrome’s password manager is a welcome change, but you may still want to use a dedicated and separate password manager. Chrome only manages passwords inside its browser, so if you sign into various mobile apps or apps on a TV like Netflix then these login combinations won’t be stored in a Google Account. That’s particularly relevant now that iOS 12 is about to introduce the ability to autofill passwords across browsers and apps from third-party password managers.


Chrome’s new password manager

Google’s choice to offer a password generator and manager will likely trigger debate about best password practices. Some security experts argue web users should simply remember a long and memorable phrase for each password, while others recommend a random password with special characters that’s managed by a password manager. Both options should still take modern computers years to crack, until systems get faster or the age of quantum computing finally arrives. By then, we’re hoping the entire industry has figured out a reliable way to get rid of pesky passwords once and for all.

Chrome’s new password manager is available today as part of the Chrome 69 release.

Chrome’s new password manager stops you using the same password for every website

Google is releasing an entire new design for Chrome today with new features and tweaks to the browser’s overall appearance. You can read more about the redesign here, but one of the big new features is an improved password manager. Chrome will now offer to automatically generate a random password when you sign up to websites for the first time. This password will be stored inside a Google Account securely and synced across desktop and mobile versions of Chrome.

This should stop regular Chrome users from always picking the same password for each site, and ultimately ending up with a security headache if a site is breached. Chrome’s password manager is a welcome change, but you may still want to use a dedicated and separate password manager. Chrome only manages passwords inside its browser, so if you sign into various mobile apps or apps on a TV like Netflix then these login combinations won’t be stored in a Google Account. That’s particularly relevant now that iOS 12 is about to introduce the ability to autofil passwords across browsers and apps from third-party password managers.


Chrome’s new password manager

Google’s choice to offer a password generator and manager will likely trigger debate about best password practices. Some security experts argue web users should simply remember a long and memorable phrase for each password, while others recommend a random password with special characters that’s managed by a password manager. Both options should still take modern computers years to crack, until systems get faster or the age of quantum computing finally arrives. By then, we’re hoping the entire industry has figured out a reliable way to get rid of pesky passwords once and for all.

Chrome’s new password manager is available today as part of the Chrome 69 release.

Google’s in-house security key is now available to anyone who wants one

Google’s Titan Security Key is finally available to anyone who wants one. The two-factor token went live today in the Google store, with a full kit available for $50, shipping immediately. The kits include a USB key, a Bluetooth key, and various connectors. The key has been available to Google Cloud customers since July, when the project was first publicly announced.

Built to the FIDO standard, the Titan keys work as a second factor for a number of services, including Facebook, Dropbox, and Github. But not surprisingly, they’re built particularly for Google account logins, particularly the Advanced Protection Program announced in October. Because the keys verify themselves with a complex handshake rather than a static code, they’re far more resistant to phishing attacks than a conventional confirmation code. The key was initially designed for internal Google use, and has been in active use within the company for more than eight months.

According to Google, the production process also makes the keys more resistant to supply chain attacks. “This firmware is sealed permanently into a secure element hardware chip at production time in the chip production factory,” Cloud product manager Christian Braand said in a post today. “The secure element hardware chip that we use is designed to resist physical attacks aimed at extracting firmware and secret key material.”

You can enable security keys in your Google account from the two-step verification page, or sign up for the Advanced Protection Program here.

Google took down 39 YouTube channels linked to Iranian influence campaign

Google today disclosed details about its ongoing efforts to combat influence campaigns from foreign governments and other forms of election interference, with the company outlining its recent ban of 39 YouTube accounts linked to the Islamic Republic of Iran Broadcasting. Google’s announcement comes on the heels of Facebook’s admission earlier this week that it identified and deleted more than 600 accounts linked to both Iran and Russian that were coordinating influence campaigns on the platform by posting politically charged content.

Kent Walker, Google’s senior vice president of global affairs, says Google’s Threat Analysis Group worked alongside its Trust & Safety team and its Jigsaw division, its policy think tank-turned ideas lab focused on cyberattacks and other geopolitical issues, to identify the Iranian influence campaign.

They did so with help from FireEye, an independent cybersecurity consultant that first disclosed information about Iran’s influence campaign on US social media sites earlier this week. In addition to the US, Iran appears to be targeting citizens in the UK, Latin America, and elsewhere in the Middle East, according to FireEye. The company’s full report on this specific Iranian influence operation was also published today. FireEye was instrumental in helping both Facebook and Twitter identify the Iran and Russia-linked state-sponsored accounts that were banned earlier this week.

According to Walker, Google collected evidence that linked the operators of 39 YouTube accounts — as well as six blogs on its self-publishing platform Blogger and 13 Google+ accounts — to the IRIB. The YouTube accounts only generated a little more than 13,000 views. Although Google says it cannot share concrete evidence with the public because its working closely with law enforcement, it describes the information linking these operations to Iran as related to domain ownership and account metadata. Google says the operation has been ongoing since January of 2017.

In addition to the Iran-linked social media influence campaigns, Google says it’s also detected state-sponsored phishing attacks targeting political campaigns, journalists, activists, and academics not just in the US, but globally. Walker says Google’s automated systems are helping it cut down on the volume of phishing attacks that ever make it to an unsuspecting user’s Gmail inbox. Earlier this week, Google posted a notice to its security blog discussing government-backed phishing attacks. The company says it’s also regularly notifying users and law enforcement about suspicious emails that seem to be part of a coordinated campaign.

Walker also outlined efforts by the Russian government Internet Research Agency (IRA), one of the primary misinformation peddlers on Facebook that also engaged in the spread of misinformation on Google-owned websites last year as part of a broader election influence campaign.

“Since then, we have continued to monitor our systems, and broadened the range of IRA-related actors against whom we’ve taken action,” Walker writes. “Specifically, we’ve detected and removed 42 YouTube channels, which had 58 English-language political videos (these videos had a total of fewer than 1,800 U.S. views). We’ve also identified and terminated the account associated with one blog on Blogger.”

Google announces its own security key for stronger logins

Today at the Next conference, Google announced a new product called the Titan Security Key, currently available to Cloud customers and scheduled for general sale in the coming months. The key is used to authenticate logins over Bluetooth and USB, similar to existing offerings from Yubico and other providers. A Google representative said the Titan key also includes special firmware developed by Google to verify its authenticity.

“Titan Security Key gives you even more peace of mind that your accounts are protected, with assurance from Google of the integrity of the physical key,” Google said in a post announcing the key.

The Titan key is built to the FIDO specification, a long-planned authentiation standard supported by a number of apps and browsers. As a result, the device can also be used to log into non-Google services, although those services may not be able to take advantage of the same firmware verification. (Google accounts have supported security key and other FIDO logins since 2014.) Like previous security keys, the Titan key offers significantly stronger security than a confirmation code, which can sometimes be stolen through a relay attack.

Users hoping to take advantage of that protection should make sure to disallow non-security key logins, available through Google’s Advanced Protection program. It’s also wise to keep a second key in protected storage in case the primary key is lost or stolen.

Google has been testing the key internally for over a year, but only recently made it available outside the company. Google employees are required to log in with physical tokens for security reasons, a system that seems to be working. Earlier this week, the company announced it had not had a single successful account takeover since implementing the policy in early 2017.