
Image via
CrunchBase, source unknown
If you are a security professional or someone who has done a course on
computer security, you will know that the security of your computing environment
is as strong as the weakest link in the network and/or users. A single user in
your network who is careless about the passwords can cause havoc to the network.
Google is trying to be a leader in the SaaS and PaaS world by offering wide
ranging apps including Google Search, Google Apps, Google App Engine, etc.. To
lock in the users to its services make the cloud computing experience seamless
for the users, Google released a browser, called Google Chrome, which is really
lightweight and lightning fast. Google recently took
off the beta label from the browser. Knowing Google’s love for the beta
term, this was a big surprise.
Unless you are paranoid in your computing world, like Dick Cheney wants you
to be in the real world, you will save your passwords in your browser’s password
manager. In fact, many users don’t even think about the impact of storing the
passwords in the browser. If we are going to keep all our data in the clouds,
including sensitive emails, banking information, etc., it is very important for
us to rethink the way we store passwords.
As a cloud user, storing the passwords in the browser is akin to locking the
door and keeping the key in the lock itself. If you think that is insane, it
appears that the locks are not even locking the doors after you lock it with
your keys. A recent study
released by Chapin Information Services reports that all the browsers are doing
a bad job in protecting the stored passwords. In particular, Google Chrome comes
out to be the worst in the league.
Currently, the password manager that is closest to solving the first three
problems is built into Opera 9.62. With invisble form elements deactivated,
options to limit saved passwords to a single page, and partial destination
checking, this is certainly one of the more worry-free products.Also new to this round of testing is Safari 3.2 for Windows. Safari and
Chrome are essentially tied for the worst password manager built into a major
web browser.
It is ridiculously insane for Google to do such a bad job on the security
front when they aspire to be the Microsoft of Cloud Computing. If Google’s
browser is so lousy on the security front, what kind of message it will send to
users who are already reluctant to put their data on the clouds and give up
certain level of control to achieve a nearly ubiquitous availability of their
data to them. This study should be a rude awakening for Google and other browser
vendors and it should also serve as a warning for those users who save their
passwords in their browsers.
To think that security is even a discussion point instead of being a factual portion of the design raises serious questions about the future of a lot of these solutions.
We’re all very trusting, I trust you, you trust me, or as it’s typically seen, I trust you, you trust someone else, therefore I trust that other person? Security by inference is found to be a flawed model because getting to that third party is often quite easily done.
Someone needs to give Google a serious kick in the ass if they’re going to be treating things like security as an option instead of a fact.
Very well said.
I don’t know why it was not mentioned that Chrome currently doesn’t have support for a master password for the password manager. If I borrow a friends computer and they have saved passwords with Chrome, I can see them with a few clicks.
I know that most people do not use the master passwords available in most other password managers, but I do since I often let other people use my computer. Until it is available in Chrome I will continue not to save any of my passwords.
I wrote this up the day Chrome was released: http://duffsdevice.blogspot.com/2008/09/google-chrome-overlooks-one-small.html