Why Aren’t Chromebooks Saving Password Changes?

There’s something weird going on with Chromebooks – the Google-branded laptop computers powered by the company’s web-based operating system Chrome OS. They’re not saving the password changes you make to your Google account. Basically, if you change your password, shut down your machine, then reboot, the Chromebook will ask you for your old password instead of the new one.

The problem has to do with Google’s sessions being persistent (that is, they don’t log you out), and leads to a relatively minor security threat. Meaning, if someone was to take advantage of this threat, they would need physical access to your Chromebook. In the grand scheme of things, that puts this threat on the low-end of the risk spectrum. However, because Chromebooks are pitched as low-cost, secure, easy-to-use alternatives to traditional laptops for businesses and educational institutions, it’s important to highlight issues such as this to make the community aware.

Also, I just think it’s annoying.

Having experienced the problem myself after a tip from my former colleague Audrey Watters who covers the edu-tech space at Hack Education, I reached out to security professionals to determine its severity.

Roel Schouwenberg, the Senior Researcher at Kaspersky Lab, who will also be speaking on the topic of Chrome OS security at the upcoming RSA Conference 2012, looked into the problem. He found that the reason this is occurring is because your Google password is used for local authentication, too.

“This is why you can log onto your Chromebook even when it has no Internet connection,” he explains. But when you change your Google password, that change is not immediately communicated back to the Chromebook, even though the new password is active for all your online services.

This is the case even if you change your Google Account password on another device. The old password is stored in Chromebook’s local authentication, so the computer will  ask for the old one. In order to workaround this issue, you have to sign out of your Chromebook session on the device while you’re online, then sign back in to force the sync of the new password that’s already active elsewhere.

But security-wise, an attacker would have to know your old password and have physical access to your Chromebook in order to be a threat. And even then, there isn’t much of a threat: you still have to re-authenticate with any Google service before getting connected to, say, your Gmail or Google Docs, for example.

So while you could call this a security issue, it’s really more of an annoyance. From an I.T. support standpoint, however, I could see this being a hassle for Google App admins who have to help users who can’t figure out why their new password doesn’t work. (One thing I learned from my handful of years in I.T.: no one is immune from experiencing password reset issues. Having passwords that don’t immediately update even when you’re online, would only compound the problem.)

In online discussions of the issue, folks who didn’t force the refresh on their own (you know, normal people), reported seeing sync delays of 24 hours even up to four days or a week. That seems high, though, and it’s hard to know how long these delays are normally without further investigation (underway now).

For what it’s worth, much of this behavior (using the password for local authentication, for example) is by design. That’s why Chromebooks work offline. And a lot of the confusion here could be minimized simply by having a better UI (user interface) and flow for walking you through the password change process.

But really, if you change your Google password, and your Chromebook requires your Google password, then the end user’s expectation is to use their current Google password.

It’s kind of one of those non-issue issues, but something that’s indicative of how far Chrome OS still has to go to be a competitive alternative to traditional operating systems: they’re still working on the login, folks. The login!