November 23, 2009, 11:42 AM — A lot of people, including me, are excited about Chrome OS, Google's forthcoming desktop operating system. One of the things that has people worked up is Chrome OS' improved security over Windows. That's true. It should be better, and I'll talk more about that tomorrow, but before you get too excited about that you should know that Chrome has its elephant sized security problem.
You see everything you'll do on a Chrome OS computer is based on the good old user/password concept. This SSO (single sign on) key unlocks all your information, which is stored on the cloud. This means you can log into your account from any Google Chrome device. That's the good news. That's also the bad news.
On Chrome, all your personal information is only a login away. And, when I say all your information, I mean all. This isn't just access to a critical file or information about one bank account, it's every file and all the information you keep in those files.
If you could trust people to use good passwords and use them correctly that might not be so bad. But, you can't.
As a long-time network administrator, I already knew this from my own experience with users. Recently though I was horrified to find proof that was it even worse than I thought it was. In a Human Factors and Ergonomics Society study, Password Authentication from a Human Factors Perspective: Results of a Survey among End-Users (PDF Link), they revealed, for example, that after decades of being preached at about the need to use good passwords, people still use bad ones. For example, a MySpace study "showed that 65% of all passwords contained 8 characters or less. The most frequently used passwords were: password1; abc123; myspace1; and password."
People also continue to use lousy password security practices. For example, the same study cites surveys showing that "15-20% of the users of an office supply manufacturer on a regular basis wrote down their password on a post-it sticker next to their computer. Results of a study among 1300 business professionals show that 66% of respondents reported that employees keep password paper records at work and 58% reported that employees keep electronic password records (for example in a Word document or spreadsheet)."
This is a commonplace problem that's in no way unique to Chrome. What considers me about Chrome is that the key to your entire information kingdom comes down to a single user-name and password.