Monday, 9 October 2006

Google security: an easy way Google can help, why don't they?






Google reiterated recently that they take security "very seriously" (ironically, just a couple of days before they reported that someone had exploited a Blogger bug to make a fake post on Google's official blog!).

They've even got a new page dedicated to security now, and will take security-related comments/feedback at security@google.com.

So, I ask, why don't they fix one simple thing to do with Google services that's been bugging me for a while now?

Whenever you login to a Google service, the "Remember me on this computer" box on the log in page is automatically TICKED by default. Just a couple of examples (Reader and Page Creator), you get the drift...:




The only exception seems to be Gmail - I've UNticked that "Remember me on this computer" box when logging into Gmail, and it seems to stay unticked after that (for the account I unticked it for, on every computer I've tried, so it seems to be related to the account rather than to cookies on that computer?). But for all Google services, I feel strongly that the box should not be ticked as standard, whether I choose to save cookies or not (and it won't surprise you that I clear out my cookies every session). Certainly, if you untick it it should stay unticked.

The reason is obvious. If a user forgets to untick that box before logging in, and forgets to logout of the service they were using, the next person who goes to (say) Gmail or other Google site using the same computer can read the previous person's mail, feed subscriptions etc, and even reply as them, with impunity. So much for security and privacy...

In these days of shared computers and the widespread use of public computers in libraries, internet cafes and the like, I personally think that it's irresponsible of any Web service provider to code their login page so that the "Remember me" box is checked in advance.

Changing the default position and UNchecking that box is such an easy and simple thing to do and I firmly believe would immeasurably help improve security and privacy no end. So why don't Google? Pretty please? (Though in general I'm a huge Google fan, as any reader of my blog will know.)

(Another thing that bugs me is how Skype tries to start up automatically with your computer AND login the first user automatically; and even if you try to disable those options, each time you manually start Skype they're ticked by default again, so you have to remember to UNcheck those boxes before logging in or you're stuck with it until you disable it manually. Again, with shared computers and public computers I think it's downright dangerous and stupid to do that, and taking control away from users, which is a big bugbear of mine, is also a usability no no - and in this case surely bad for security as well as PR for Skype, in terms of irritating its users.)

4 comments:

Taylor said...

Hey great point. This is one of those "duh" things that Google should really consider doing.

Anonymous said...

That checkbox only causes your username to be remembered. That is, if you log out of Google Reader and then visit the Reader page again, your username will be filled in automatically. Your password will not be remembered unless you tell your browser to do so.

Anonymous said...

I would have to say that that above comment Pwns the original poster. It was a vaild question, i use Gmail and did notice that the password is not saved by the check box.

Improbulus said...

Glad you agree Taylor!

Point taken, thank you Anons, but I still don't want even my username to be remembered (as people can search for it on Google and I may not want others to associate me with that username!). I use different names for different aspects of my life for privacy and security reaons.