21 September 2022

All Your Passwords Are Belong to Us

Someday companies will take security seriously... No, actually I don't expect either of these two companies to EVER take security seriously. Google, Microsoft can get your passwords via web browser's spellcheck

Google, like so many tech companies is built on spying on people. And I'm convinced that Microsoft doesn't believe there is anything they shouldn't know about people using Windows.

Extended spellcheck features in Google Chrome and Microsoft Edge web browsers transmit form data, including personally identifiable information (PII) and in some cases, passwords, to Google and Microsoft respectively.

While this may be a known and intended feature of these web browsers, it does raise concerns about what happens to the data after transmission and how safe the practice might be, particularly when it comes to password fields.

While I get that you want to spellcheck forms, does the language change so much, that a downloaded static dictionary is not good enough?

When using major web browsers like Chrome and Edge, your form data is transmitted to Google and Microsoft, respectively, should enhanced spellcheck features be enabled.

Depending on the website you visit, the form data may itself include PII—including but not limited to Social Security Numbers (SSNs)/Social Insurance Numbers (SINs), name, address, email, date of birth (DOB), contact information, bank and payment information, and so on.

In cases where Chrome Enhanced Spellcheck or Edge's Microsoft Editor (spellchecker) were enabled, "basically anything" entered in form fields of these browsers was transmitted to Google and Microsoft.

Because of course it is.

Users can mitigate this risk by turning off Chrome's enhanced spellcheck via the settings. In Edge, you actually need to install a browser add-on to make this behavior manifest. (So, don't install it.)

Web developers can explicitly stop sending some data to spellcheckers - like User ID and Password - by including that attribute 'spellcheck=false' to all input fields where spellchecking doesn't make sense. Like Social Security Number or Password.

But of course that would A) require that the developers know about the attribute, and B) care enough to use it. And I'm tempted to add "C" not be in league with Google or Microsoft.

Ironically enough, we observed Twitter's login form, which comes with the "show password" option, has the password field's "spellcheck" HTML attribute explicitly set to true:

Which makes absolutely NO sense. But then Twitter. If you are using a password that is a dictionary word of any kind, well, you deserve whatever you get.

As I said, someday companies will take security seriously, but it is not this day.

And yes, I am aware of Diceware, and creating long passwords via stochastic methods. (See the xkcd comic below) I even used that method for a while, but I find it easier to manage a Password Manager. If you use Diceware, or something similar, you should use more than 4 words. Diceware is currently defaulting to 6. I would probably use 7. (Note that it isn't 4 or 7 words you come up with. That would not be random.)

xkcd password strength

No comments:

Post a Comment

Comment Moderation is in place. Your comment will be visible as soon as I can get to it. Unless it is SPAM, and then it will never see the light of day.

Be Nice. Personal Attacks WILL be deleted. And I reserve the right to delete stuff that annoys me.