Chrome Remote Desktop Security - Is it safe?
Chrome Remote Desktop is user-friendly, but is safe for use with important servers and systems?
Like most of Google's products, Chrome Remote Desktop (CRD) is an incredibly user-friendly and useful tool. Though Microsoft's RDP is easily the most common way to connect to remote PCs and servers, Google's tool has become popular among casual users. But what about in a professional context? Many business owners wonder whether Chrome Remote Desktop is safe enough to use with important systems and information.
Chrome Remote Desktop security: How does it work?
Though it has "Remote Desktop" in the name, CRD uses a different protocol and security setup to Microsoft's tool. On the server or remote PC, the admin installs the Chrome Remote Desktop browser add-on and sets a PIN. By default, to connect, the user:
- Logs into their Google Account
- Clicks on the device in their list and enters the PIN
This is great in terms of usability, with end users not needing to install any software or input IP addresses. However, there are some concerns with this setup in regards to security.
Is Chrome Remote Desktop safe?
Ultimately, the security of your Chrome Remote Desktop server highly depends on the security of end-user accounts. You likely do not have control over how secure the user's password is, their 2FA, or other security issues on their local device.
Once a user's account is compromized, the attacker only needs to enter a numerical PIN to access the server. For context, here is how long it takes a mid-tier gaming PC to crack numerical passwords of different lengths:
| No. of characters | Time to crack |
|---|---|
| 4 | Instantly |
| 5 | Instantly |
| 6 | Instantly |
| 7 | Instantly |
| 8 | Instantly |
| 9 | Instantly |
| 10 | Instantly |
| 11 | Instantly |
| 12 | 2 seconds |
| 13 | 4 minutes |
| 14 | 41 minutes |
| 15 | 6 hours |
| 16 | 2 days |
| 17 | 4 weeks |
| 18 | 9 months |
| Source: Hive Systems |
In other words, if you are connecting to your server with your own user account which you can verify is secure, then you do not need to worry too much (though, watch out for attacks such as session hijacking). However, once you start throwing employees, friends, etc. into the mix, Chrome Remote Desktop's account-based security could cause some major issues. If your PIN is not over 18 characters, it will provide very little protection.
Recommendations
Generally, we advise you to use Windows RDP over Chrome Remote Desktop. With a few modifications such as a changed port number and proper VPN setup, Windows RDP can be quite secure.
Chrome Remote Desktop can be a suitable alternative if you are the sole admin/user of a server and have strong Google Account security or if the data on your server is not sensitive. However, you should still make sure that your PIN is at least 20 characters (we recommend 25+) and you should still be using a VPN.