Where Google Chrome security fails: the password

A lot of people, including me, are excited about Chrome OS, Google's forthcoming desktop operating system. One of the things that has people worked up is Chrome OS' improved security over Windows. That's true. It should be better, and I'll talk more about that tomorrow, but before you get too excited about that you should know that Chrome has its elephant sized security problem.

You see everything you'll do on a Chrome OS computer is based on the good old user/password concept. This SSO (single sign on) key unlocks all your information, which is stored on the cloud. This means you can log into your account from any Google Chrome device. That's the good news. That's also the bad news.

On Chrome, all your personal information is only a login away. And, when I say all your information, I mean all. This isn't just access to a critical file or information about one bank account, it's every file and all the information you keep in those files.

If you could trust people to use good passwords and use them correctly that might not be so bad. But, you can't.

As a long-time network administrator, I already knew this from my own experience with users. Recently though I was horrified to find proof that was it even worse than I thought it was. In a Human Factors and Ergonomics Society study, Password Authentication from a Human Factors Perspective: Results of a Survey among End-Users (PDF Link), they revealed, for example, that after decades of being preached at about the need to use good passwords, people still use bad ones. For example, a MySpace study "showed that 65% of all passwords contained 8 characters or less. The most frequently used passwords were: password1; abc123; myspace1; and password."

People also continue to use lousy password security practices. For example, the same study cites surveys showing that "15-20% of the users of an office supply manufacturer on a regular basis wrote down their password on a post-it sticker next to their computer. Results of a study among 1300 business professionals show that 66% of respondents reported that employees keep password paper records at work and 58% reported that employees keep electronic password records (for example in a Word document or spreadsheet)."

This is a commonplace problem that's in no way unique to Chrome. What considers me about Chrome is that the key to your entire information kingdom comes down to a single user-name and password. That's one heck of a single point of failure.

With business password-protected systems, you need to be on a specific computer or on a particular network to access important data. With Chrome, you, or a cracker, can be anywhere on the Internet and get to all of your data.

Google knows this is a problem. They plan on addressing it. Google is looking into biometrics, such as a fingerprint reader; smart cards; or Bluetooth. But, as Google points out in their Chrome OS security documents, all of these have their own share of problems. So, while Google will be keeping an eye on these security technologies, it looks like the first-generation of Chrome devices are going to be relying on the very unreliable login-password model.

Eventually, I think Google will have to add one of these technologies to Chrome to make it more secure. I don't see that they'll have any choice in the matter. Login/password is just too darn easy a way to get into a Chrome user's information.

For what it's worth, I suggest that Google look into building smartcardtechnology into a USB stick. All devices now come with USB ports so there's no added cost and this will make Chrome OS orders of magnitude harder for a cracker to get into someone's account. Yes, that does mean that users would need to keep track of their Chrome USB stick, but I think the improved security far outweighs the inconvenience of carrying a USB stick.

What do you think?