Update, September 20, 2024: This story, originally published on September 19, now includes an explanation of password cracking and the use of hashes.
Passwords are, without a doubt, the future of login security. 1Password called them “nearly impossible for hackers to guess or intercept,” and Google uses them to replace hardware key and two-factor authentication for high-risk users. Now Google has taken this move towards a password-free future a step further: secure sync across all devices with Chrome on Windows, macOS, Linux and Android platforms currently, with iOS still in development, but promises soon.
Google announces secure password login on (almost) all your devices
Until now, although almost everyone agrees that Passkeys are both simpler to use and more secure than traditional password logins, Google only allowed you to store passwords in Password Manager using Android. Sure, you could use them wherever you wanted, but that involved scanning a QR code on your Android device, which, I can say from personal experience, made me look to alternative password providers like 1Password and Apple. All this has changed with new announcement by Chirag Desaia Chrome product manager at Google, about updates rolling out now to make the experience as seamless as it should be. No QR codes required.
Once a password is saved, no matter which device you used, it will automatically sync with your other devices, so logging into any account or service is just a matter of scanning your fingerprint, Desai announced. Once a password is saved, no matter which device you used, it will automatically sync with your other devices, so logging into any account or service is just a matter of scanning your fingerprint, Desai announced. This new sync feature revolves around a new Google Password Manager PIN that adds another layer of security to the process, ensuring that “your passwords are end-to-end encrypted and cannot be accessed by anyone, not even Google,” Desai said.
You’ll need to either have your Google Password Manager PIN or use the screen lock on your device when you start using passwords for the first time on a new Android device. However, no new apps are required as password support is already built into both Chrome and Android devices.
How hackers crack your passwords
If a new announcement about passwordless login authorization ever came at the right time, it’s from Google. While no technology can ever be 100% secure, using a passkey instead of a username and password combination is a huge step toward a more secure process. New research from Gediminas Brencius, head of product development at NordPass, the password manager from well-known VPN provider NordVPN, delves into the techniques threat actors use to crack stolen passwords—and it’s thought-provoking.
Let’s get the elephant in the room out of the way right away: if your password is stored in plain text, then you may have just texted it to a hacker. Most services use something known as a hash, a one-way mathematical function that converts a variable-length plaintext password string into a fixed-length binary sequence. No matter how long your password or passphrase is, the hash will always be the same fixed length. One-way is important here, as it is easy to turn the password into a hash, but extremely difficult to reverse the process. difficult, but not impossible. Because each input will produce the same hash output, it is possible to enforce, through trial and error, what a fully hashed password looks like, but it takes significant time and computing resources.
“Different hashing algorithms have different computational complexity, which affects how quickly a hacker could guess the encrypted values,” said Brencius, “bcrypt and Argon2 algorithms are designed to be slow to make brute force attacks more difficult while MD5 or SHA-1 can be calculated faster.”
Speed is, quite literally, of the essence when it comes to cracking passwords. The only impossible becomes within the realms of possible with enough computing power. “Typical personal computers are designed for general purpose computing and have a limited number of cores, typically 4 to 64,” Brencius said, “the more cores they have — the more parallel tasks they can run at once.” This is why threat actors will try to use networks of high-powered devices that have multiple graphics cards to give access to thousands of cores. “They use a whole network of infected machines or they use the most powerful computers to crack passwords,” according to Brenicus, “they don’t always own that hardware — in some cases, especially if the target is of significant importance, they can rent the required tools”.
This is why the advice when it comes to password creation will always be to grow. A typical 25 random character password string, combining keyboard types, or a passphrase combining several random words, will be ridiculously harder to crack than a short, simple one. Of course, the advice now should be to always use a passcode where available, as a hacker would need access to your biometrics and your device to crack one.
Password technology explained
Passkeys came about as a joint Apple, Google and Microsoft initiative developed with the FIDO Alliancean open industry association that aims to reduce people’s reliance on passwords. Based on public key cryptographic protocols, the same as those that underpin hardware security keys, passwords are considered phishing-resistant, which is hugely important given today’s threat landscape. Passwords are “resistant to phishing and other online attacks”, said Google“making them more secure than SMS, app-based one-time passwords and other forms of multi-factor authentication.”
An access key credential is on the device, entered only once and then reused as often as needed using the device’s biometric user verification system, whether it’s the fingerprint of the face scan. If biometrics are not available then they can be used with a PIN code. Importantly, it is the user’s possession of the device, who authenticates with these biometrics, that makes the passwords secure. The remote server at the service, website, or account you’re trying to sign in to will simply ask the user to turn on their screen lock to complete the authentication process.
Passwords are designed according to the FIDO Alliance standard, so each implementation can work seamlessly with any browser or operating system. Importantly, the user’s screen lock biometric data is never sent to the website you are connecting to. Google will never see it. Instead, only the cryptographic proof that you have successfully activated the screen lock is transferred. You can try them on Passkeys.iowhere a simple demo account shows how easy they are to use and set up.