Re: Should the password manager show the password length? (was: Re: chrome.passwordsPrivate API Proposal)

[Chris Palmer]

It's an interesting question — strictly better security against a physically-present attacker (who is therefore already outside our threat model), vs. some slight reminder to the legitimate user as to how good/strong/long that password is* — but we have more interesting and pressing questions that need answers at the moment, to be honest. :)

* "Was goat@yahoo my good account or my throw-away? Oh, I see it has a short password... must be my throwaway account. giraffe@yahoo must be my good one; it has a long password."

On Wed, May 6, 2015 at 5:19 PM, 'Lucas Garron' via Security Enamel <securit...@chromium.org> wrote:

I was surprised by the line that read:

 // Used to display placeholder dots instead of real password.

 numCharactersInPassword: number,

It turns out that the Chrome password manager always shows password length, which I did not know. (To reveal, you still have to click "Show" and enter a system password if you have one.)

I use 1Password, so I'm used to a fixed number of dots, and it feels weird to me to reveal any information about the passwords. But who knows, maybe the familiarity of the current system is worthwhile to many people.

I discussed this with Sabine and Mike (from the privacy team, which happens to be in MTV right now). None of us came out of it with a strong opinion on whether fixed length is better or not.

Does anyone know if we have other precedents for deciding about something like this?

»Lucas

On Wed, May 6, 2015 at 3:51 PM 'Kyle Horimoto' via Security Enamel <securit...@chromium.org> wrote:

Hi apps-dev,

This document contains a proposal for the chrome.passwordsPrivate API, which will be utilized by the material settings page.

Let me know your questions/comments. Thanks!

Kyle

--

Kyle Horimoto | Software Engineer | khor...@google.com | 310-938-8531