Google Chrome May Soon Use 'AI' To Replace Compromised Passwords

Google's Chrome browser might soon get a useful security upgrade: detecting passwords used in data breaches and then generating and storing a better replacement. From a report: Google's preliminary copy suggests it's an "AI innovation," though exactly how is unclear.

Noted software digger Leopeva64 on X found a new offering in the AI settings of a very early build of Chrome. The option, "Automated password Change" (so, early stages -- as to not yet get a copyedit), is described as, "When Chrome finds one of your passwords in a data breach, it can offer to change your password for you when you sign in."

Chrome already has a feature that warns users if the passwords they enter have been identified in a breach and will prompt them to change it. As noted by Windows Report, the change is that now Google will offer to change it for you on the spot rather than simply prompting you to handle that elsewhere. The password is automatically saved in Google's Password Manager and "is encrypted and never seen by anyone," the settings page claims.

No AI involved.

[Brain-Fu]

The article elaborates on this point: nothing about this feature seems to need or use AI. So, if it does wind up being categorized as an AI innovation, that's just pure marketing hype.

Not surprising, the latest trends in AI have been far more marketing hype than anything else. Including my favorite: redefining "AGI" to mean "used to make lots of money." instead of anything that would even suggest "general intelligence."

Re:

[Random361]

It's just so mind numbingly stupid. The marketing droids out there don't even understand what the hell "AI" is. Then they redefine AGI so it's some kind of deus ex machina. I think someone needs to strap these market droids into a not so comfortable decrepit Lazy-Z-Boy and force them to watch the entire Terminator series followed by The Matrix. Hell, I think they should have to sit through the Terminator 3 nuclear missile launch scene on loop for at least a half hour.

Re:

[bill_mcgonigle]

A Grand Illusion?

(improvements welcome)

Re:

[haruchai]

A Grand Illusion?

(improvements welcome)

Now I have the song running through my head. Don't think I've heard it in over 30 years

Re:

[Njovich]

It's the same nonsense as with the Google+ fiasco. Everything has to be AI whether it makes sense or not.

Re:

[Ol Olsoc]

The article elaborates on this point: nothing about this feature seems to need or use AI. So, if it does wind up being categorized as an AI innovation, that's just pure marketing hype.

Not surprising, the latest trends in AI have been far more marketing hype than anything else. Including my favorite: redefining "AGI" to mean "used to make lots of money." instead of anything that would even suggest "general intelligence."

First thing I thought of. It seems like years that my Macs would tell me if I was using a compromised password, long before the AI buzzword Bingo world.

what AI

[toxonix]

Automated password change is fine. Probably a good idea. But this could happen without anything related to LLMs or generative AI being involved. Google already detects passwords found in data breaches and tells you to change them.

Re:

[Calydor]

Yeah, this sounds more like 'neat Chrome plugin' than 'AI'.

Re:what AI

[dgatwood]

Automated password change is fine. Probably a good idea.

Not always. I intentionally use crappy passwords for offline internal networks that are not routable to/from the public Internet, because being able to give someone that crappy password off the top of my head is more important than securing something that could only be attacked by physically walking up to the switch and plugging in a computer right in front of our faces.

I guarantee passwords like "admin" show up in data breaches all the time. Do I care? No. Would I be pissed off if some browser decided to helpfully change it, and then I couldn't access it from another device that wasn't using that browser from that account? Oh, yes. Breaking access to production systems during a live shoot is the fastest way to get your browser perma-banned from my show network in one easy step.

As long as there is explicit user consent prior to making the change, I have no problem with it, of course.

Re:

[haruchai]

" I intentionally use crappy passwords for offline internal networks that are not routable to/from the public Internet"
At work we have a bunch like that including some gear where the vendor is long out of business but the stuff just keeps on working & there's scant money to replace whatever it is.
Some of our less technical groups struggled to manage some old gear where the UI was Java-based & browsers wouldn't load such old applets & the PC were blocked from using older Java versions or even por

Re:

[unrtst]

... But this could happen without anything related to LLMs or generative AI being involved. ...

Totally agree. But, that said, one has to start somewhere when rolling out solutions based on a new system/language/paradigm. LLM/AI may have been used to figure out how to do the password change on every disparate provider (it's never the same on every site), which is something that would take a human a fair bit of time, and would require constant updates and patching to keep it working. I'm not involved with this in any way, FWIW, but I'd bet this is a good real world use of it, where they have to includ

Re:

[Burdell]

No, automated password change is NOT fine. A browser has no idea what that password is, why it is what it is, where else it may be used, who else may need the password, and more.

Pointless

[nealric]

Suggestions for secure passwords have been around for a while. The problem is they are worthless for something that a human might remember. Just relying on the browser to store your password isn't very helpful because your access is dependent on that device. It sounds like this is just a way of forcing you to use Google's password manager, which makes you dependent on Google for access to everything.

Re:

[gillbates]

I was going to say the same thing: How is having a password that the user doesn't know any different from just using SSH keys?

This problem has already been solved. Passwords are used because remembering a password is less of a hassle than teaching the average user how to use, safeguard, and copy SSH keys. Creating a password that nobody knows isn't any more secure, except in that it possibly locks the user out of accessing their accounts from their phone.

Re: Pointless

[LindleyF]

That pretty much what passkeys are, except with some usability sugar, e.g. "scan this QR code to let the library computer log in with the passkey on your phone."

Re:

[Ol Olsoc]

Suggestions for secure passwords have been around for a while. The problem is they are worthless for something that a human might remember. Just relying on the browser to store your password isn't very helpful because your access is dependent on that device. It sounds like this is just a way of forcing you to use Google's password manager, which makes you dependent on Google for access to everything.

So much this. while a password like W3a5-dDOU-u1kv7-wDgjo is pretty good, people should use passphrases. Just as good - and you can make them pretty long. Sprinkle in a couple special characters, and then you can remember it

Re:

[newcastlejon]

a password like W3a5-dDOU-u1kv7-wDgjo is pretty good

That's amazing, I have the same combination on my luggage!

Sorry, couldn't resist.

Re:

[supremebob]

Yeah, I also don't want my Netflix password changed to ^YYTG#YUHYUgsdsF% automatically because it just happened to find a password that looks like mine in a list of 50 million passwords, and then have to enter that new terrible password a dozen Smart TV's and other devices that don't use Google's password manager on screen keyboard. Opt me out of this "security enhancement", thanks.

Marketing BS

[Big Hairy Gorilla]

It's like when everyone was putting " blockchain " in their company name to capitalize on the average moron's cursory understanding of blockchain technology. As in the Long Island Blockchain Tea Company. Case in point: I was walking thru a shopping mall today. Tax season is upon us. A small storefront had the following sign "AI Tax Preparation".

Wow! Amazing! Right? Maybe not.

Re:

[93 Escort Wagon]

It's like when everyone was putting " blockchain " in their company name to capitalize on the average moron's cursory understanding of blockchain technology.

I don't remember this in the slightest. I imagine it was just the crypto-bros doing it in a sad attempt to get normal people to care... or to even notice.

AI-powered condoms - putting brains in your head

[az-saguaro]

Already several posts above mine, all with the same observation - what does this have to do with AI?

User logs in or connects. Look up username in database of compromised passwords. Find a match? > prompt user to change password - OR - now, a new service, we will change it for you.
That's nice - a good idea and considerate service from one point of view, perhaps another layer of security risk from other points of view. Either way, it seems like a simple task using rudimentary programming principles used

Re:

[PubJeezy]

"It has only been about 2 years since AI became "public" through open LLM's or commercial services"

You had to ignore a decade of people complaining about spambots on social media to say this. That's weird.

Google AI

[ConstantineXI]

WIll try to compromise your ad blocker and stalk you around the internet. And since AI doesn't actually work it wil fail.

No thankyou

[jonwil]

I already get enough of the "hey, your password may have been compromised" messages on my Android phone and I think also in Edge on my PC. I don't want Google or anyone else offering to change that password (or worse, doing it automatically).

Take your digits off of my passwords!

[JamesTRexx]

I stole those fair and square and no AI is going to change them without my consent.

Is this vendor lock-in?

[NotEmmanuelGoldstein]

...never seen by anyone ...

If Chrome saves this re-write in Google Password, a skilled user can access the password and update his/her password manager. Not pretty but cyber-security continues as normal.

If the owner of the account can never see the new password, the account can only be accessed using Chrome browser and only on a device sharing the same Google/Chrome account. This is vendor lock-in, which also forces all devices to share the one account. We've already seen this problem with Windows 11: A child uses an adult's computer to log-in to his/her account, now the computer always connects to the child's account. (Solution 1: Use another computer to change the password of the child's account, preventing auto-login. Solution 2: Create a new Microsoft online account and slave the adult's computer to it.)

Password Transformation

[organgtool]

With password managers as well as technology like this, passwords are starting to blur the line between "something you know" and "something you have".

Re:

[93 Escort Wagon]

Well, one could argue that it's just abstracted a bit. You still have to "know" your password vault's master password.

Re:

[organgtool]

An attacker may be able to surreptitiously acquire your vault's master password and you'll likely never know until it's too late. Of course, the same could happen with the password to an individual account, but that would only allow them to access to one account. Given the popularity of password managers, they have become a desired target for hackers [techradar.com].

Obligatory SpongeBob SquarePants

[93 Escort Wagon]

Whenever I see one of these companies trying to pretend something that could've been done 10-20 years ago was now some magical AI innovation, it makes me think of a SpongeBob SquarePants episode - the one where the Krusty Krab decided to extend their hours. SpongeBob kept announcing the various mundane normal tasks he was doing... except now they were "at night!".

https://youtu.be/m90R7j3D3DM [youtu.be]

Google...

[eriks]

In (google's) Soviet Russia, password guesses you!

Re:

[Required Snark]

Also in fascist America.