back to article Chrome makes new password grab in version 34

Google has announced that Chrome 34 is now stable enough to be promoted to the Stable Channel. In a few days it will therefore become the default version for millions of users. Most of the updates to the browser are anodyne: there are 30-odd security fixes, a new look on Windows 8 and what Google labels “Lots of under the hood …

COMMENTS

This topic is closed for new posts.
  1. Lars Silver badge

    My passwords are mine, only mine, so just piss off.

    1. Steve Button

      @Lars - fine, then switch it off. Personally I choose convenience over a (slight) risk in security. That's my choice and you can have yours. What's the problem?

      What I really don't like is the site - even somewhere like the Open University - forcing me to type the bloody password every time, when I would rather not bother.

  2. bazza Silver badge

    Chrome...

    ...deleted

    1. beep54

      Re: Chrome...

      Why even use Chrome in the first place when there's Chromium, Iron and Dragon. Same engine. Maxthon is kind of interesting also. I find I need backup browsers for when, say, Firefox wants to open each and every flash object on a page. All at once....

  3. Anonymous Coward
    Devil

    Nup

    I've never trusted it and I never will.

  4. Anonymous Coward
    Anonymous Coward

    Fortunately, there is still Firefox

    Nuff said

    1. Mark 85 Silver badge

      Re: Fortunately, there is still Firefox

      But for how long before they join the data leeches?

    2. Anonymous Coward
      Anonymous Coward

      Re: Fortunately, there is still Firefox

      No there isn't. Nobody should use a browser that is made by people who don't support freedom of expression.

      1. Elmer Phud
        WTF?

        Re: Fortunately, there is still Firefox

        " Nobody should use a browser that is made by people who don't support freedom of expression."

        I'm about to put all my computers in a skip, I am now ashamed to use any tech, any more.

        Most of my clothes will also go, my pushbike, my car, I won't be eating anything either.

        I refuse to acknowlede the existance of the ISS or NASA.

        I am ashamed to have ever bought anything in my life, ever.

        I don't even know why I'm even typing this using a box of chips that has been made using the blood of newborn babies and fluffy bunnies.

        What sort of closeted, isolated Shangri-La do you live in?

      2. Anonymous Coward
        Anonymous Coward

        Re: Nobody should use a browser blah blah

        Stop using JavaScript for all sites then.

        Stop being a cock too.

      3. ecofeco Silver badge

        Re: Fortunately, there is still Firefox

        "No there isn't. Nobody should use a browser that is made by people who don't support freedom of expression."

        The CEO responsible for that was fired the other day.

        Do try and keep up.

        Or was that sarcasm? If so, for future reference, please remember to use "/sarcasm" tag. Thank you.

        1. Anonymous Coward
          Anonymous Coward

          Re: Fortunately, there is still Firefox

          It was indeed sarcasm. Should need to add a tag, and you lot need to stop taking yourselves so seriously. 30 downvotes? 30 retards...

    3. southpacificpom
      Happy

      Re: Fortunately, there is still Firefox

      Have an upvote from me due to best joke of the day

    4. Anonymous Coward
      Anonymous Coward

      Re: Fortunately, there is still Firefox

      Did I read somewhere recently that Firefox is being kept alive with funding from Google?

  5. G2
    FAIL

    @article author: reading comprehension FAIL

    quote:

    That means that even if users turn off Chrome's feature that collects and automatically enters their login credentials to web services, the browser will nonetheless make the offer to do so.

    /quote

    NO, that's not what it means, you totally misunderstood the change... if the user turns off the password manager then it stays off.

    This change affects only when a web SITE specifies the parameter autocomplete=off on a password input field, the browser will ignore that and instead will use the USER's preference instead of the SITE's preference: if the user has the password manager enabled then it will use that for autocomplete. If the user has disabled the password manager then it stays disabled.

    1. ratfox

      Re: @article author: reading comprehension FAIL

      Thanks for the correction. Looks like the Reg has modified the article now.

      Now, if that's what happening, then it makes a lit more sense. No objections from me.

    2. Andrew Witham

      Re: @article author: reading comprehension FAIL

      What you say makes sense. So I upgraded to v34 and tried it out by logging into a couple of sites. No request to save password.

    3. Tim99 Silver badge
      Stop

      Re: @article author: reading comprehension FAIL

      @G2

      This change affects only when a web SITE specifies the parameter autocomplete=off on a password input field, the browser will ignore that and instead will use the USER's preference instead of the SITE's preference: if the user has the password manager enabled then it will use that for autocomplete. If the user has disabled the password manager then it stays disabled.

      So Google, and apparently you, think that it is OK to break W3C HTML5?

      1. zooooooom

        Re: @article author: reading comprehension FAIL

        "So Google, and apparently you, think that it is OK to break W3C HTML5?"

        Fuck yeah. Its a mark up language, not a contract.

        1. Tim99 Silver badge
          Joke

          Re: @article author: reading comprehension FAIL

          @zooooooom

          "So Google, and apparently you, think that it is OK to break W3C HTML5?"

          Fuck yeah. Its a mark up language, not a contract.

          So, you would be a systems/hardware person then?

        2. G2

          Re: @article author: reading comprehension FAIL

          quote:

          So Google, and apparently you, think that it is OK to break W3C HTML5?

          /quote

          on the contrary, this behavior is mandated by the W3C HTML principles:

          http://www.w3.org/TR/html-design-principles/#priority-of-constituencies

          what's happening is that all the OTHER browsers are breaking the HTML design principles by forcing a user to do what a site wants (disabling the autocomplete) instead of prioritizing the user's wishes. In this case Chrome might be the first browser to actually comply with the W3C principles.

          Now.. the problem here is that while browsers come with password managers and they ask the user if they want to save the password, a lot of people will click "yes" without thinking...

          What the browser designers should have done instead of just blindly clicking on a "yes" button is forcing the user to think when they save a password.

          Instead of just clicking that button they should be presented with a more puzzling challenge, e.g. solving a captcha or typing the "yes" answer themselves.

      2. Def Silver badge

        Re: @article author: reading comprehension FAIL

        So Google, and apparently you, think that it is OK to break W3C HTML5?

        Google have always had a fairly cavalier attitude to standards anyway. They're as bad today as Microsoft used to be.

        Also, does Chrome store your passwords in the cloud so you can access them from anywhere? While I certainly hope they don't, nothing would surprise me.

        1. sabroni Silver badge

          Re: OK to break W3C HTML5

          It's a "living standard". Once Google push this to all the Chrome desktop users it IS the standard!

        2. Lazlo Woodbine

          Re: @article author: reading comprehension FAIL

          Also, does Chrome store your passwords in the cloud so you can access them from anywhere? While I certainly hope they don't, nothing would surprise me.

          If you have browser sync enabled Chrome copies your favourites, and autocomplete to a hidden file in your Google Drive, then if you log into Chrome from a different computer your settings are copied to that browser.

          I knew it did the favourites, but I wasn't aware it synced autocomplete until I installed Chrome on a new PC at the weekend.

          I'm not sure if I like this idea or not, depends who secure the encryption is on Google Drive

      3. Graham Dawson Silver badge

        Re: @article author: reading comprehension FAIL

        From the spec itself*:

        "A user agent may allow the user to override an element's autofill field name, e.g. to change it from "off" to "on" to allow values to be remembered and prefilled despite the page author's objections, or to always "off", never remembering values. However, user agents should not allow users to trivially override the autofill field name from "off" to "on" or other values, as there are significant security implications for the user if all values are always remembered, regardless of the site's preferences."

        In other words, google are following the spec to the letter on this one.

        *source http://www.w3.org/TR/html51/forms.html#attr-fe-autocomplete

  6. Chris Ashworth

    I've uninstalled Chrome from all my machines after the last update that installed itself as a background service on ALL my PCs that had it installed.

    I find IE a pretty capable browser these days. Might give Opera another go though.

    1. Def Silver badge

      Might give Opera another go though.

      Opera is just Chromium these days, and it's total piece of shit. Version 12 was the last real Opera. I'm currently pondering which browser I should migrate to.

      Maybe I'll write my own. (Or at least drop my own UI on top of the more standardised components out there.)

    2. AceRimmer

      Chrome warned me about running as a background service and asked me permission to do so.

      You can turn it off in the advanced settings, it's not difficult to find for someone technically competent

      1. Anonymous Coward
        FAIL

        re: google update

        The problem is that the installer ignores the currently installed version's parameter setting? Why? Do they think I turned off automatic updates by mistake?

      2. Chris Ashworth

        I don't mind it installing itself as a service on my main machine after asking permission.

        What I do mind is it automatically installing itself onto every other machine I had Chrome on...HTPCs/servers etc.

        Simpler to just uninstall than faff about in settings. Chrome was good for giving the competition a kick up the arse...but these days it has no benefits over them, and a major downside (i.e. constantly having to be on your guard for 'new features' that are hooking you deeper into the googleplex). No thanks.

    3. Anonymous Coward
      Anonymous Coward

      @Chris Ashworth

      Can't comment on the latest version of Opera as it isn't available on Linux where I spend most of my time, but it's been getting a lot of unfavourable comments in their forums.(Bookmarks in particular.) I'm looking at moving away from Opera because 12, while being nice to use, tends to stall on a lot of pages at the last element and it tends to go mental if I want to look at Flash stuff. Don't like the feel of Chrome and Midori, which I had hopes for, puts massive black borders around any text entry fields if you have the wrong theme (GTK?) selected. Looks like it's going to be Firefox for me all the time soon, though I've never really been a fan. Probably gonna ditch Kontact too, in favour of Thunderbird. Because Akonadi is *sooo* great.

  7. DropBear

    I'm not entirely opposed...

    ...to storing passwords somewhere, I just don't think that place should be the browser. It seems way too public a place to store them, both against external and, um... potential domestic threats, even encrypted behind a "master password". If I ever start using stored passwords, they should at the very least be auto-typed from my phone or another personal physical token - obviously, a challenge-based approach would be better than typing in a plaintext password but I have no idea how that could be achieved with the currently ubiquitous login boxes.

    1. M Gale

      Re: I'm not entirely opposed...

      Well, I already know someone who's putting together a devastatingly simple and deliciously geeky thing. It involves an Arduino, a keypad, a chopped up USB cable, and enough code to say "oh hello computer, I am a keyboard."

      Tap a PIN on the keypad. The Arduino fires a password over the USB cable. Magic password storing box. Tada.

      1. Joe Harrison

        Re: I'm not entirely opposed...

        Don't want to spoil your friend's Arduino fun but hasn't this been done already? (Yubikey)

        1. M Gale

          Re: I'm not entirely opposed...

          Unsure. If I remember right, the idea of this thing is to use the URL, some other information and a salt to construct a hash, so you get a unique password for every site, without having to even make up a password.

          The person I'm on about is a commentard here, so if they see this message, I'm sure they'll elaborate.

          1. DaLo

            Re: I'm not entirely opposed...

            "and enough code to say 'oh hello computer, I am a keyboard.' "

            " the idea of this thing is to use the URL"

            Keyboards aren't told the URL of a web page so there must be more to it than that.

        2. Anonymous Coward
          Anonymous Coward

          Re: I'm not entirely opposed... @Joe Harrison

          No reason not to do it yourself though, as I'm sure you'd agree. Even if it's been done before it's much easier to learn about programming if you have something to program. Exercises from textbooks or whatever are good, but something you actually want is better :)

      2. This post has been deleted by its author

      3. Anonymous Coward
        Anonymous Coward

        Re: I'm not entirely opposed...

        Well, I wasn't going for quite that. It displays the password on a small screen to type in. The trick is that the device doesn't have a master password as such - it has no persistent storage at all.

        1. Enter 'master password'

        2. Enter name of site.

        3. Device outputs a printable-character representation of a truncated sha1 of whatever you just typed in.

        Thus no worry about losing the device, and no possibility of someone cracking it somehow if they steal it. Every site gets a unique password.

        1. KjetilS

          Re: I'm not entirely opposed...

          That sounds an awful lot like security through obscurity

        2. DaLo

          Re: I'm not entirely opposed...

          So if your master password gets compromised then anyone anywhere will be able to work out the passwords to any sites you use?

          If you forget the master password you lose access to all sites?

          If you wish to change your master password you have to change the password on every site you've ever used?

          You have to keep the device with you wherever you go?

          You would have to type whole URLs and Master Password onto - i presume a small keyboard every time you want to visit a site?

          Surely - KeePass or similar would be far easier.

  8. wyatt

    I became more paranoid a few months ago and started using a password safe which can also generate passwords. Before this my passwords were pretty much the same with some variations. It's a pain when you want to logon somewhere where you can't open the safe but ill deal with it.

    The ammount of credentials cached by browsers and their ease of access was rather straight forward. To easy for my liking. I'll keep avoiding Chrome thanks.

  9. Forget It
    Meh

    It's a shame Chrome can delete it CEO like Firefox can.

    Don't be Evil → Don't be greedy

  10. Anonymous Coward
    Happy

    Thanks Google...

    ...now just need to wait for the Iron release

  11. Bartholomew Bronze badge

    If you must use chrome, I'd go with Iron - less "features"

    No unique Installation-ID sent to Google

    No Suggestions (remote logging of everything you type to google)

    No Alternate Error Pages

    1. Anonymous Coward
      Anonymous Coward

      re: alternate error pages

      I agree. At least firefox still allows you to display the error codes.

  12. Tim99 Silver badge
    Big Brother

    Beyond parody

    Google "Don't be evil" indeed.

    1. Anonymous Coward
      Anonymous Coward

      Re: Beyond parody

      How is this in any way evil? It follows the W3C spec which says a user should decide whether to honour the autocomplete field. It also gives you the option of turning this off for this one site or all sites.

      Anyone who doesn't want Google to store their passwords doesn't have to (any it is simple for even non-tech literate users to do this) but for people who do this it stops them having to use easy to remember passwords or write them down.

  13. fuplaya
    WTF?

    hmmmmm

    They must of read how to annoy users and alienate their user base.

    1. Boothy Silver badge
      WTF?

      Re: hmmmmm

      How is giving the user the choice to use this or not, annoying and alienating them?

      Next you'll be saying that removing options that people use makes those users happy?!

  14. Jack Douglas

    Are you sure?

    "That means that even if users turn off Chrome's feature that collects and automatically enters their login credentials to web services, the browser will nonetheless make the offer to do so."

    Are you sure? Or does it mean that Chrome will offer to remember passwords for fields that have the autocomplete=off attribute set *by the server*, just like Safari does (if you toggle a setting).

  15. Anonymous Coward
    Anonymous Coward

    Websites that force you to type in long secure unique passwords in over and over again should be shot and killed.

    Then taken outside and shot and killed again.

    If I want to use a tool to store long strong and unique passwords, then one is a web dev dick trying to stop me.

    +1 for Chrome and google doing this.

  16. Anonymous Coward
    Anonymous Coward

    Lastpass ?

    I'd rather use a purpose built password manager, than rely on one that's effectively an afterthought.

  17. Anonymous Coward
    Anonymous Coward

    Finally

    I want my passwords stored except for the ones that involve money. Many sites dont allow password saving even though no cash changes hands. I'll decide.

  18. Anonymous Coward
    Anonymous Coward

    I assume this is at the request of certain government organisations for sites they currently do not have a back door route into?

  19. Andrew Jones 2

    I wish they had brought the Password Generator along too, I found it so much simpler in the BETA to be able to generate a complex random password directly using Chrome, and Google of course would automatically save the password it had generated. Despite what other people think, providing their Google account is using 2 factor auth - having Chrome generate a unique random password for every site is a most convenient way to stay secure on the web, knowing that if a site gets hacked - the password they may have for your account applies to that site only.

  20. RyokuMas Silver badge
    Stop

    "No comment..."

    Jesus, yet more creepiness and underhand behaviour from Google... why don't they just come out and announce "ALL YOUR LIVES ARE BELONG TO US!"

  21. Boothy Silver badge
    Go

    Goodbye auto-complete extension

    Means I can finally remove the auto-complete extension I've been using for the last few years to do exactly just this due to too many sites abusing this option.

    Also means Chrome becomes a little more compliant with the W3C HTML specs.

    Whilst I can understand Banking sites etc. using this, (and I'll continue to select not to remember on those sites), so many other sites use this option, when they have no good reason to do so (such as sites that don't deal with real money etc).

    Putting the User back in control, which is kind of the point with HTML.

    1. ecofeco Silver badge

      Re: Goodbye auto-complete extension

      HTML? How quaint. Don't you know the modern web master "developer" uses only PHP, CSS, Ruby on Rails, the not-yet-ratified-HTML5, Java and, well, anything but HTML?

      Get with the times, old man!

      /sarcasm

      /rant

      /body

      /html

  22. bigtimehustler

    To be honest, I think this is sensible. I am a grown up adult, it is for me to decide what I choose for the browser to remember, not a website developer working on the website in question. It is their job to adhere to best practices in designing the form, my choice if I choose to override them. I generally get pissed off when some low level site I don't really care about forces me to enter a password every time and will not remember it (and neither would the browser currently). If I think its worth the risk for what that website stores, then thats my choice.

    1. ecofeco Silver badge

      2 points.

      1) I agree

      2) Unfortunately in this day, ALL websites are bombarded 24/7 with hack attempts of every nature. Log ins have become mandatory thanks to that.

  23. ecofeco Silver badge

    Yet another security problem

    I tried Chrome. Then I saw it didn't have half the security customization that FF did and dropped it.

    While the speed is great, the failure in security makes it a show stopper.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021