The Chromebook login problem

November 27, 2016

I mentioned yesterday that I have a Chromebook hanging around here at the moment. It's for a relative so I haven't played with it very much, but I have poked at it enough to spot one obvious issue: the login and password you use to log into and unlock the Chromebook is your Google account's password. This is a potential problem because the properties you'd like for the two passwords are relatively different.

My perception is that many people keep themselves logged in to their Google account. This means that they type the password infrequently, and may trust it to a password manager (and likely have a complex randomly generated password as a result). However, a machine password (Chromebook or otherwise) is something that you'll be typing relatively frequently in order to unlock the machine (probably at least multiple times a day); it's infeasible to use a complex randomly-generated password for this.

Whether you can change this is a frequently asked question and the answer appears to be 'no, that's how its designed'. I can see three approaches to the problem. First, the obvious one that gets suggested frequently is to set up a separate 'Chromebook' Google account, one that's only used for the Chromebook (and for things that you're treating as an extension of it, like cloud storage). To get access to your real Google account, just log into it in the browser on the Chromebook and so on. I think that you lose some amount of automatic synchronization between the Chromebook and your regular Google account, but apparently this works in general.

The next approach that I've seen recommended is to switch to using an xkcd style password. These are likely secure enough while still being memorable and reasonably easily typed; you can probably rattle one off in a few seconds, which is not too annoying even on the routine basis of unlocking a computer.

A third possible option is to configure strong 2FA on your Google account and not worry too much about the strength of your password alone. I'm not sure how this interacts with logging into the Chromebook itself, but it will at least protect your Google account in general (and everyone recommends it if you're serious about the security of your account). If I was going to use a Chromebook and I cared about my Google account beyond the Chromebook itself, this is probably the approach I'd go with (possibly combined with an xkcd style password).

(I'd want to explore Google's 2FA options and how they combine first, though. You can apparently use a Yubikey (or any hardware token that supports U2F) as one of your 2FAs, but how does that work if you want to also authenticate from a device that can't talk to the Yubikey (such as an iPhone)? Can you have a second 2FA method so that either the Yubikey's U2F or the other 2FA method are sufficient?)


Comments on this page:

In terms of U2F/mobile support, Google mandates that an account also has regular TOTP (so therefore an app on your phone or as part of a bunch of password managers) enabled. Google doesn't recognize Firefox as a browser that supports U2F, even with the add-on installed, so it always prompts me for a TOTP code. (In other news, I seem to recall hearing about a proposed method of U2F over NFC, so perhaps that's the next step?)

Chromebooks can also be set up to authenticate with a central directory server. Want to set one up in your home's LAN? :D

Written on 27 November 2016.
« What I did to set up IPv6 on my wireless network so it really worked
Some impressions after a brief exposure to a Dell Chromebook 13 »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Nov 27 02:19:05 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.