Google under fire for Chrome browser's password storage policy:

Responding to the controversy, the tech lead for Chrome's browser security team said that they had found that "boundaries within the OS user account [to protect passwords even when a user is logged in] just aren't reliable, and are mostly just theater."

This mostly suggests that the tech lead for Chrome hasn't read Joel Spolsky's Let Me Go Back! strategy letter nor ever heard the saying, "A lock keeps an honest man honest."

"But wait!  Joel's not talking about security, you fool!  He's talking about how Excel ate Lotus 123's lunch!" you say.

That's right, but he's also talking about barriers to entry.

Think of these barriers as an obstacle course that people have to run before you can count them as your customers. If you start out with a field of 1000 runners, about half of them will trip on the tires; half of the survivors won't be strong enough to jump the wall; half of those survivors will fall off the rope ladder into the mud, and so on, until only 1 or 2 people actually overcome all the hurdles. With 8 or 9 barriers, everybody will have one non-negotiable deal killer.

This calculus means that eliminating barriers to switching is the most important thing you have to do if you want to take over an existing market, because eliminating just one barrier will likely double your sales.

On this reread, "calculus" seems a bit strong, doesn't it?

But this works with folks trying to read your passwords too.  How many little sisters (or slightly seedy buddies) might have access to your browser?  Um, lots.  Better yet, how many high-end art thieves contribute to Dollar General's shrinkige issue?  That'd be essentially none.  Completely different "markets" for different sorts of exploits.

More clearly: Folks that install apps on your computer to phone home to some nefarious server in Elbownia do not read your passwords from your settings page.  They do whatever they want.  Folks that visit your house might.

Reportedly again from the Chrome tech lead:

Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software.
... the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behavior.

Right, because most passwords stolen from the settings page is from "someone malicious getting access to your account."  Your little sister is going to "dump your session" and "install malicious extension [sic] to intercept all your browsing activity" or, get this, "install OS user account level monitoring software."  How many times have you seen someone doing this, ever?  How many people do you know who could do this?  The "market" described above is not the one that needs a master password.

Get out of the ivory tower and back into your living room, Chrome, because that's where your users live.

I'll posit that adding a barrier to entry probably does cut the number of passwords stolen in half.  I'd like to see Google's study, not their tech lead's off-the-cuff impressions, suggesting otherwise.

Labels: , ,