Chrome’s insane password security strategy

[Vurbal]

Google's description of how Chrome sync works has the following warning:

Don't sign in to Chrome if you're using a public or untrusted computer. When you set up Chrome with your Google Account, a copy of your data is stored on the computer you're using and can be accessed by other people using the same computer. To remove your data, delete the user you are signed in as.

If you take Google at their word, this indicates that signing out still leaves the synced information stored locally.

Of course, you can use Chrome without ever signing in, but as soon as you do, you have no control over what is spread around through the sync function.  As I said, I use Android devices and I also have ported my home and business phone numbers to Google Voice to keep them when I dumped the landlines they were attached to.  This means I need to sign into my Google accounts regularly. I just don't use Chrome to do so, because I don't want whatever is cached locally from other sessions to be synced to those Google accounts.

-xtabber (August 22, 2013, 10:10 PM)

You're entitled to your own opinion, but not your own facts. You don't have to assume anything. Significantly more detailed information about how Google Sync works is available on Google's website and the settings themselves make it more than clear. The first time you sign into your Google account using Chrome the settings are chosen by Google, meaning sync everything. If you've already signed in and unselected any of the options, those items will not be synced to the next computer you use.

Google's warning is absolutely true for most people because the settings are hidden and once you've logged in there are no obvious warnings about that. That's dishonest and wrong (some would go so far as to say evil) but still completely different than what you're claiming - by your own admission based almost entirely on assumptions.

No, people shouldn't sign into Chrome because Google refuses to take security or user choice seriously. If you have to rely on FUD to justify it you're not paying enough attention.

[xtabber]

You're entitled to your own opinion, but not your own facts. You don't have to assume anything. Significantly more detailed information about how Google Sync works is available on Google's website and the settings themselves make it more than clear. The first time you sign into your Google account using Chrome the settings are chosen by Google, meaning sync everything. If you've already signed in and unselected any of the options, those items will not be synced to the next computer you use.

Google's warning is absolutely true for most people because the settings are hidden and once you've logged in there are no obvious warnings about that. That's dishonest and wrong (some would go so far as to say evil) but still completely different than what you're claiming - by your own admission based almost entirely on assumptions.

No, people shouldn't sign into Chrome because Google refuses to take security or user choice seriously. If you have to rely on FUD to justify it you're not paying enough attention.

-Vurbal (August 23, 2013, 08:15 AM)

Not sure what button I pushed to justify this outburst, but your arguments are neither consistent nor correct.

On the one hand, you complain about Google being dishonest and say that people shouldn't sign in to Chrome. On the other hand, you complain that I don't understand that sync can be turned off and that my arguments about using Chrome are therefore false.

I like much about Google and have used their products for years.  I also have friends who are research scientists there. If Google is,  as you say, dishonest in dealing with users, they are probably less so than most big online players, IMHO, which is why I expect to continue to use their products.  But they make their money almost exclusively by selling targeted advertising, and I am not about to trust them to respect my privacy if they can get away with not doing so.

Sync is not the only reason I don't use Chrome for most browsing, but it IS a security risk unless one is vigilant about making sure that it is always turned off. Unfortunately, Google is relentless about trying to get users to relax their privacy settings. I have personally had the experience of activating a new device on a Google account and suddenly finding settings changed everywhere because some screen had a non-obvious pre-checked option to that effect.

Remember that most security breaches are caused by social exploits, not technical flaws.  Google may not be as reckless in exposing their users to this kind of exploit as, say Facebook, but that is still the foundation of their business model. The best way to avoid getting burned is not to play with fire in the first place.  That's why I rarely use Chrome and advise others not to do so when they have safer alternatives.

[Vurbal]

You're entitled to your own opinion, but not your own facts. You don't have to assume anything. Significantly more detailed information about how Google Sync works is available on Google's website and the settings themselves make it more than clear. The first time you sign into your Google account using Chrome the settings are chosen by Google, meaning sync everything. If you've already signed in and unselected any of the options, those items will not be synced to the next computer you use.

Google's warning is absolutely true for most people because the settings are hidden and once you've logged in there are no obvious warnings about that. That's dishonest and wrong (some would go so far as to say evil) but still completely different than what you're claiming - by your own admission based almost entirely on assumptions.

No, people shouldn't sign into Chrome because Google refuses to take security or user choice seriously. If you have to rely on FUD to justify it you're not paying enough attention.

-Vurbal (August 23, 2013, 08:15 AM)

Not sure what button I pushed to justify this outburst, but your arguments are neither consistent nor correct.

-xtabber (August 23, 2013, 01:24 PM)

I apologize for using a snarkier tone than I intended.

On the one hand, you complain about Google being dishonest and say that people shouldn't sign in to Chrome. On the other hand, you complain that I don't understand that sync can be turned off and that my arguments about using Chrome are therefore false.

No, I said your facts were inaccurate and supplied a correction. Specifically this fact (emphasis mine)

Of course, you can use Chrome without ever signing in, but as soon as you do, you have no control over what is spread around through the sync function.

-xtabber (August 22, 2013, 10:10 PM)

It's impossible to reach rational conclusions based on wildly inaccurate facts. I made no assumption about whether this was the basis of your opinion or not. That statement implies, intentionally or not, it's something others should factor into their decision. That muddies the waters and confuses the real issues - the same issues you yourself mention.

[xtabber]

Let me then amend that to say that you have no control over what is spread around through the sync function unless you know what your sync settings are and can verify that they are what you think they should be at the moment.

Given that Google has, in my personal experience, changed settings without my being aware of it, and that they furthermore make it difficult for most users to understand those settings and to set them the way they would expect them to be if they did understand, I think my amended statement is true.

AFAIAC, that is a glaring security hole, which I simply don't have the time and energy to step around every time I go online, and don't expect anyone else to, either.

[Vurbal]

Let me then amend that to say that you have no control over what is spread around through the sync function unless you know what your sync settings are and can verify that they are what you think they should be at the moment.

Given that Google has, in my personal experience, changed settings without my being aware of it, and that they furthermore make it difficult for most users to understand those settings and to set them the way they would expect them to be if they did understand, I think my amended statement is true.

AFAIAC, that is a glaring security hole, which I simply don't have the time and energy to step around every time I go online, and don't expect anyone else to, either.

-xtabber (August 23, 2013, 02:43 PM)

That I agree with 1000%. Especially in the fact Google counts on their users not recognizing the problem, let alone understanding it. The only safe advice in that case is stay away.

What ordinary people can understand, at least when they can see it, is you don't need to blindly trust or distrust any company. As you correctly pointed out sometimes their business interests are aligned with your privacy and security interests - in Google's case arguably more often than most companies. That's at least a foundation for some degree of trust.

At the end of the day most of us are not Google's customers. We're a commodity. That's neither good nor bad (or at least it's both) as long as we recognize and acknowledge it. It's not foolproof but until we've got crystal balls to see the future imperfect is what we're stuck with.

[mahesh2k]

I have this history settings problem with chrome. I wonder if I can disable logging history. Current settings is enabled to "delete history after exit", yet it keeps the history and only destroys the login session.