Hacker News new | past | comments | ask | show | jobs | submit login

I believe (can't recall the source at the moment) that on Google computers, they actually watch all of your input for password input, and if you enter your password somewhere other than the official Google single-sign on interface, will make you rotate your password. They're pretty serious about not letting you type your password anywhere other than where you're supposed to.



That sounds like a pretty big security hole. Just "type" random letters until you get a warning saying not to enter your password outside of password fields.


There's no such warning displayed, because that would be a security hole.

This password security measure is a Chrome extension that's required by company policy to be installed on all corporate machines. It watches all input (to browser forms) and if it detects your password being typed anywhere other than an actual sign-on page, then the next time you sign on successfully you're required to change your password. I believe there's also an e-mail notification, but it's delayed.

This is actually a pretty good password security technique, specifically because people often inadvertently type their password into the wrong forms due to focus errors, lack of caffeine, etc.


How would you do that though?

Because I can't think of an efficient way to do that that doesn't involve having the extension have access to the password.

I mean, you could store the password hash + length, but then you're securely hashing every single overlapping substring of what you enter, which is not exactly fast. Especially as KDFs are designed to be slow.

And if you store the password hash then you enable an offline attack.


It wouldn't have to do it in real time right? It could easily batch typing sessions and have the server chew through them asynchronously.


So then you're sending every keystroke people make to a central server?

Even assuming that the connection is secure (never a good assumption), that still means that there is a single point of failure. And one with drastic consequences.


But doesn't any service that you authenticate against assume the channel is secure? Presumably this would use SSL.

I do agree about the single point of attack though. Perhaps you could do an asynchronous substring check locally when the CPU is idle.


But then anyone who can gain access to the computer once can then perform an offline attack on the password at their leisure.


True, but anyone that can gain privileged access to the computer is already king of the castle. Why attack it offline when you can just keylog it? I think it goes back to being one part of an overall security posture. Encrypt your workstations and people can't just pick them up and own them.


This seems really unlikely. Do they really calculate hashes for all words in a google document? What if your password is a sentence? Do they calculate hashes for all the fields in a spreadsheet too?




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: