Where Google Chrome security fails: the password
Google promises that Chrome will be a much more secure than Windows. Well, yes, but it also has one big problem as well.
A lot of people, including me, are excited about Chrome OS, Google's forthcoming desktop operating system. One of the things that has people worked up is Chrome OS' improved security over Windows. That's true. It should be better, and I'll talk more about that tomorrow, but before you get too excited about that you should know that Chrome has its elephant sized security problem.
You see everything you'll do on a Chrome OS computer is based on the good old user/password concept. This SSO (single sign on) key unlocks all your information, which is stored on the cloud. This means you can log into your account from any Google Chrome device. That's the good news. That's also the bad news.
On Chrome, all your personal information is only a login away. And, when I say all your information, I mean all. This isn't just access to a critical file or information about one bank account, it's every file and all the information you keep in those files.
If you could trust people to use good passwords and use them correctly that might not be so bad. But, you can't.
As a long-time network administrator, I already knew this from my own experience with users. Recently though I was horrified to find proof that was it even worse than I thought it was. In a Human Factors and Ergonomics Society study, Password Authentication from a Human Factors Perspective: Results of a Survey among End-Users (PDF Link), they revealed, for example, that after decades of being preached at about the need to use good passwords, people still use bad ones. For example, a MySpace study "showed that 65% of all passwords contained 8 characters or less. The most frequently used passwords were: password1; abc123; myspace1; and password."
People also continue to use lousy password security practices. For example, the same study cites surveys showing that "15-20% of the users of an office supply manufacturer on a regular basis wrote down their password on a post-it sticker next to their computer. Results of a study among 1300 business professionals show that 66% of respondents reported that employees keep password paper records at work and 58% reported that employees keep electronic password records (for example in a Word document or spreadsheet)."
This is a commonplace problem that's in no way unique to Chrome. What considers me about Chrome is that the key to your entire information kingdom comes down to a single user-name and password.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Brian Proffitt
Microsoft/Novell: Breaking Down the Coupon Numbers
Esther Schindler
Drupal's Dries Buytaert on Building the Next Drupal
Tom Henderson
Top Ten General Operating Systems Rants
pasmith
PS3 motion controller delayed; goes up against Project Natal
sjvn
Neolithic Windows security hole alive and well in Windows 7
claird
Perl source code comparison makes for good reading
James Gaskin
Learn How To Print Pages In Order with Ink Jet Printers
mikelgan
Cell phones don't create stress or interrupt much
Sandra Henry-Stocker
How to: The Unix Interview
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
- Ubuntu advances: Why Ubuntu server installations will surge in 2010
- Social media marketing: How to make friends with benefits
- More...
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
Security
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker.If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data, provided it's users do so.
And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
Security.
The user carries the greatest responsibility since whatever security measures Google will integrate, the user will be the weakest point of failure.What could Google do short term?
Give users some options to narrow things down what can be viewed from where.
Suppose I have a netbook.
Google could give me the option to a full view of my data from this netbook (ie. serial numbers of the hardware as extra credentials) and limited view from everywhere else.
On this netbook a secure key is used in combination of a password.
Now you need possesion of both the right hardware (the netbook)and login credentials to be able to view the data.
Is it rock solid? No, but neither are all the security measures the bank is enforcing when somebody is pointing a gun to my head.
What about
Biometrics, perhaps? Since the netbooks which will run chromeos will be only certified ones, google could push for these kinds of devices on them.