New issue
Advanced search Search tips

Issue 727527 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Jun 2017
Cc:
elawrence@chromium.org
dvadym@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Security: Password generation vulnerability (Chrome generate password feature)

Reported by victormo...@googlemail.com, May 30 2017 
VULNERABILITY DETAILS
Password generation in Chrome (generate password option in chrome://flags) displays vulnerabilities.

VERSION
Chrome Version:   [latest stable Mac OS]
Operating System: [Mac OS Sierra 10.12.4]

REPRODUCTION CASE
Using the "Generate password" option in the context menu on a password field reveals the following vulnerabilities:

1) The final character in the password is always a digit
2) The remaining characters are only chosen from [A-Za-z] - no special characters
3) The password is of a fixed length (15 characters)

Comment 1 by elawrence@chromium.org, May 30 2017

Cc: elawrence@chromium.org
Components: UI>Browser>Passwords>Generation
It's not the case that the final character is always a digit; it is a digit more often than chance, I believe, due to the fixup process that ensures that the password contains at least one digit. https://cs.chromium.org/chromium/src/components/autofill/core/browser/password_generator.cc?type=cs&l=60

I expect that limiting the character set is a deliberate design decision for compatibility with websites' password restrictions.

Using a fixed 15 characters as the length (PasswordGenerator::kDefaultPasswordLength = 15) is arguably a weakness, however, 62^15=768909704948766668552634368, an implausibly large search space for a brute force attacker.

As the user is presented with the candidate password (and this feature is off-by-default anyway), I don't think this is an Issue that needs to be kept private.

Comment 2 by mbarbe...@chromium.org, May 30 2017

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug

Comment 3 by vabr@chromium.org, Jun 8 2017

Cc: dvadym@chromium.org
Labels: Pri-3
Status: WontFix (was: Unconfirmed)
Thanks for the explanation in #1.
Based on that, I will close this bug.
The feature is being reviewed by Chrome security as part of the standard launch process.

Sign in to add a comment