I broke out in to a cold sweat watching this as I remembered all the times I've inadvertently pasted sensitive stuff in to a document. It's still very cool though, I'll just need to remember to be careful when sharing documents.
I wonder how much sensitive information is inadvertently pasted into a browser location bar or autofill text box that's silently captured by web apps like Google Docs?
I know I've accidentally done the "paste password" into those places accidentally at times.
I believe (can't recall the source at the moment) that on Google computers, they actually watch all of your input for password input, and if you enter your password somewhere other than the official Google single-sign on interface, will make you rotate your password. They're pretty serious about not letting you type your password anywhere other than where you're supposed to.
That sounds like a pretty big security hole. Just "type" random letters until you get a warning saying not to enter your password outside of password fields.
There's no such warning displayed, because that would be a security hole.
This password security measure is a Chrome extension that's required by company policy to be installed on all corporate machines. It watches all input (to browser forms) and if it detects your password being typed anywhere other than an actual sign-on page, then the next time you sign on successfully you're required to change your password. I believe there's also an e-mail notification, but it's delayed.
This is actually a pretty good password security technique, specifically because people often inadvertently type their password into the wrong forms due to focus errors, lack of caffeine, etc.
Because I can't think of an efficient way to do that that doesn't involve having the extension have access to the password.
I mean, you could store the password hash + length, but then you're securely hashing every single overlapping substring of what you enter, which is not exactly fast. Especially as KDFs are designed to be slow.
And if you store the password hash then you enable an offline attack.
So then you're sending every keystroke people make to a central server?
Even assuming that the connection is secure (never a good assumption), that still means that there is a single point of failure. And one with drastic consequences.
True, but anyone that can gain privileged access to the computer is already king of the castle. Why attack it offline when you can just keylog it? I think it goes back to being one part of an overall security posture. Encrypt your workstations and people can't just pick them up and own them.
This seems really unlikely. Do they really calculate hashes for all words in a google document? What if your password is a sentence? Do they calculate hashes for all the fields in a spreadsheet too?
My browser URL bar has received a few passwords, usually just a local computer password but occasionally something more sensitive. Makes me wonder about the permissions my collection of browser addons has.
I've also chucked a few passwords into IRC in times past. Fortunately non-essential stuff but really motivated me to sort out some better solutions (SSH keypairs, etc).
Plenty of times I've come back to my computer, typed my OS password expecting that it was locked, waited for my display's turn-on lag, and found that it wasn't locked (grace period). I type the password blind, but reserve the enter until I have visual feedback.
At least typical IRC clients don't transmit until hitting enter. Browser omnibars and Javascript can send away every keystroke as it happens. Now I want to search all my Google Docs for my passwords -- let alone other stupidity I don't care to share.
A long time ago in a lecture hall far far away a head of school was giving us a pre-exam talk of some kind. It was too all health science students. As he talked he logged into the system. With the projector showing what he was doing he missed the tab key and typed his username and password into the username field. I had a look round the room and no one else seemed to have noticed. On his desktop sat a folder titled "Exam papers" or something similar.
> I wonder how much sensitive information is inadvertently pasted into a browser location bar or autofill text box that's silently captured by web apps like Google Docs?
Well, if you paste something in the location bar, presumably it'll already be on it's way to google (or whichever service handle autocompletion/suggestion)...
I had a bad habit of using it to remove style from pasted text. Shift+CMD+V (or something like that, muscle memory) does the trick, but I didn't know that a few years ago.
Well, I found that I would use search/URL fields as a "temporary scratchpad" for passwords, when I had to copy-paste something else, and didn't want to lose the password in my clipboard. The history means I don't have to worry about that anymore.
Not quite as bad but Google docs is of course used in Google (and others) interviews. It's a bit disconcerting when you realise that all the backspacing/revisions you made are there forever.
(make me want to go back and see whether I can see other peoples comments .... hmmm)
