The Web Browser as the Ultimate Password Manager

We are notoriously bad at password hygiene. Yet, it is crucial for our digital lives. How many of us managed to convince our friends and family members to use a strong and unique password for every service which they use? How about the grumpy response when you suggest them to always use a password manager for everything?

Unfortunately, this problem is not going away anytime soon. The good news is, it is likely that a web browser which we already use everyday is going to solve our problem. My prediction is that every web browser will expand its functionality to be your ultimate, ubiquitous, and secure password management tool.

How is it possible? Well, let us take a look at all major functionalities offered by a password manager, if such a password manager wants to be successful.

First, it has to store the passwords securely (very obvious, isn’t it?).

Second, it must synchronize those passwords across different browsing sessions, perhaps also across different devices. Imagine that you sign up for Airbnb on its website, and then book a vacation house for your next trip. While you are on the road, ready to relax and enjoy your vacation, you probably need to open Airbnb website again on a different computer or even use the Android/iOS app of Airbnb. It will be quite a hassle if you can not retrieve your Airbnb password since it was only tucked nicely inside the laptop you have left at home.

Third, it should generate a password for you. Human is not good at choosing a strong secret, gravitating towards personal, discoverable things: the dog’s name, birthday, spouse’s name, favorite movie character, celebrity crush, etc. This is why a password strength estimator is important, but sadly not every registration form adopts it. And even with the Diceware approach, the barrier is just too much for normal mortals. However, the password manager can easily, and in fact it should always do that, offer a generated strong password at your disposal.

If you look at the above criteria, most major web browsers already implemented the first two. The users of the most popular web browser, Google Chrome, usually enjoy the ability to have its Chrome profile synchronized across different multiple devices, e.g. a personal laptop vs an Android phone. How about password generation? Fortunately, Google now starts the experimentation of this feature on the latest Chrome Canary. It is currently based on FIPS 181, but that NIST standard has been obsoleted so hopefully we will see an up-to-date implementation.

password generation on Chrome

When this password generation feature is finally deployed to the stable version of Chrome, millions of Internet users will have one less reason to use a weak password or even to reuse the same password over and over again. That is a very good thing! I am not surprised if this also means that Microsoft will push the same feature to its Edge browser, as well as Apple with its Safari browser. Update: Safari does this already but only within the macOS and iOS world.

But what about native mobile apps? Well, once your passwords are securely stashed and synchronized by the browser, it is a matter of a tight integration with the application framework. On Android, Google is already heavily advocating for Smart Lock for Passwords. Many popular Android apps, from Netflix to Airbnb, already started to adopt this approach. Try to login to Airbnb on Chrome for desktop, have the password saved and synchronized, and now launch Airbnb app on your favorite Android. Voila! The app will offer to automatically sign you in, using the credentials synchronized from your Airbnb on desktop Chrome. It is a seamless experience, you do not even to have to remember nor type that long password anymore.

I am optimistic that the era of worrying about weak secrets and scrambling to copy/paste unmemorable phrases will be long gone. Safeguarding our digital lives should be a pleasant experience!

Note: This article was previously published on LinkedIn.

Source: Ariya Hidayat

Leave a Reply

Your email address will not be published.