Hacker News new | comments | show | ask | jobs | submit login
Ask HN: Why don't Google or Apple make complete password Managers?
9 points by omosubi 36 days ago | hide | past | web | favorite | 10 comments
By complete password managers I mean ones that work across all their devices and are synced ~in the cloud~. It seems like they would get a big chance to lock more people into their platforms.



I might be missing something, but I think Apple’s iCloud KeyChain [1] does exactly what you’re describing (for Apple devices only ofc).

[1] https://support.apple.com/en-us/HT204085


OMG this whole situation infuriates me.

I've complained about this to Google's security folks, and basically the answer I got there was that they don't believe in password managers as a solution and would rather have FIDO/U2F become a thing.

Another part, I think, is that building a password manager is hard. I tried to build my own and quickly found that the problem of finding out which fields are username/password fields was not always easy. Some websites don't even mark password fields with type="password", so you end up with JavaScript ML systems and massive site-specific lists for guessing which fields are username/password fields, and it's a pretty big task to make it really work.

Also, if you've ever recommended a password manager to someone not very technical, pretty soon they forget their master password, and now can't access their passwords, and its' your fault.

Having said all that, Chrome's password manager has been getting better, and they do have an app auto-logic on Android, so maybe those will combine. But I don't think it's a good lock-in strategy for Google, because they don't have a holistic ecosystem - most people are not using Chromebooks - so there isn't really any lock in play for them. Same thing goes for Microsoft, and to some extent Apple, since Safari isn't overwhelmingly popular on OSX.

IMO what is really needed is a standard for this, rather than lock in, so that these companies can co-operate on this and stop trying to make this a marketing bullet point.


> I've complained about this to Google's security folks, and basically the answer I got there was that they don't believe in password managers as a solution and would rather have FIDO/U2F become a thing.

They have a point. We've had the technology for improving authentication for literally decades - that's effectively what a SIM does. We've had these secure modules in our smartphones forever. The technology is dirt cheap, ubiquitous, and with the advent of these wireless transports the user interface problem is solved. The infuriating thing for me is we still don't use it.

Google has succeeded in forcing the planet to move to https, so I guess they imagine they can do the same thing for authentication. If they succeed they will kill phishing. I wish them luck.

If it were possible to have a NFC WebAuthn implanted in the back of my hand and I could invisibly control the userHandle it handed out by invisibly twitching a muscle or something, I'd be falling over myself to get the surgery done.


This is exactly what iCloud Keychain does, except (unless it’s changed recently?) you can sync it peer to peer too, you don’t have to store the contents in iCloud.

The only part it’s “missing” is a 2FA TOTP generator, but apps like https://cooperrs.de/otpauth.html work quite well in that regard so it’s not a major pain point.

Safari + (iCloud) Keychain is IMO evidence that good password management can work client side - these “alternative” solutions like login links via email etc are basically catering to the shit experience of other browsers/platforms.


Google would probabbly just prefer you sign in to all your services just using their account.

Thus you wouldn't need a password manager if everything was Google Identity Platform....

That aside chrome has a password manager. I'm not saying it is the perfect solution, but it is there.


You cannot sign in to your bank using your Google account.


Google probabbly wishes you would...

Other than a handful of cases that they're not focused on I'm thinking they're still focused on their identity platform.


On macOS: Safari app -> Preferences (Cmd-,) -> Passwords

Alternatively: /Applications/Utilities/Keychain Access.app

On iOS: Settings app -> Passwords and accounts -> Touch ID/Face ID


probably because then they would be liable for when someone hacks your shit and then uses it to login to your bank and steal all your stuff


> probably because then they would be liable for when someone hacks your shit and then uses it to login to your bank and steal all your stuff

Which law specifically would make Apple liable if your iCloud keychain was hacked and the credentials used?




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: