Use Same Password Again for Google
"Passwords are one of the worst things on the internet," Marking Risher, Google's senior director for account security, identity, and abuse told The Verge. Though they're essential for security and to help people log in to many apps and websites, "they're 1 of the principal, if non the principal, ways that people actually terminate up getting compromised."
Information technology's a strange thing for a Google security executive to say considering the concluding time y'all logged into Gmail, you probably typed in a countersign. But the company has been trying to nudge users abroad from the model for years, or at least minimize the damage. And in the coming weeks, one of Google'due south quietest tools in that fight — the Password Checkup feature — will be getting a higher contour, every bit it joins the Security Checkup dashboard built into every Google account.
Risher is right to exist concerned. Though you can use a tool similar a password director to help keep track of your logins, a lot of people but finish upward reusing passwords for many accounts. Fifty-2 percent of people reuse the same password for multiple accounts, according to the results of a poll published in February 2019 by Google and polling firm Harris. Xiii percent of people reuse that password for all of their accounts, that poll constitute. And Microsoft said in 2019 that 44 million Microsoft accounts used logins that had been leaked online.
While reusing passwords can be ane way to retrieve a complex discussion, phrase, or combination of letters, numbers, and symbols that you retrieve no one will ever be able to estimate, the practice can put your personal information in danger. If that reused password gets leaked as part of a information breach, hackers could then accept the key to many of your other online accounts — no affair how circuitous the phrase is.
"We know from other research we've done in the past that people who've had their information exposed by a data breach are 10 times more probable to be hijacked than a person that'south not exposed by one of these breaches," said Kurt Thomas, a member of Google's anti-abuse and security enquiry team.
Google has been trying to help users build better password habits for some time, slowly but surely. For years, the company has offered a born password manager in Google Accounts on Chrome and Android that tin relieve your passwords and autofill them on websites and apps, for example.
But over the past twelvemonth or so, Google has also been working to help people proactively make better passwords with Password Checkup. The tool checks logins against a database of four billion leaked credentials, seeing if the password you're typing in matches one that's already leaked. It launched first as a Chrome extension in Feb 2019, and Google baked it into Google Accounts in Oct and into Chrome in Dec.
Information technology's not a new idea, but Google is uniquely well-positioned to offer something similar Password Checkup. The company has access to billions of passwords and the scale to ringlet out Countersign Checkup to billions of users in a manner that integrates with account security tools on which many people already rely.
:format(webp):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/20046523/WEB_RED.png)
Figuring out how to let Password Checkup flag compromised credentials in a privacy-respecting manner was a tough technical problem that required a combined effort from both Google and Stanford. The challenge was finding a way to automatically check a user's credentials against a database of breached logins without revealing that information to Google or giving the user admission to the whole database, all while scaling that solution to Google's huge user base, researchers from both organizations told me.
To do so, Google stores a hashed and encrypted version of every known username and countersign exposed by a information breach. Whenever you log into an account, Google will transport a hashed and encrypted version of your login info against that database. That way, Google tin't see your password, and you can't come across Google's list of known-compromised logins. If Google detects a match, Google volition bear witness an alert recommending that you change your password for that site.
:format(webp):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/20046644/password_checkup_revised.png)
Google gets compromised logins from "multiple different sources and trusted partners," Thomas said, including cloak-and-dagger forums where password dumps are openly shared. "We have an ethical policy that nosotros volition never pay criminals for stolen information," he connected. "But just by virtue of how these markets work, very often, [stolen data] volition bubble up and become available." Using personas Google has in those marketplaces, the company can larn the data, he said.
Password Checkup took near two to three years from inception to having it appear in many Google products, according to Thomas. Down the line, Google wants to have Security Checkup e-mail yous when it detects that a stored login has been compromised in a data alienation, which the company plans to launch in the coming months. And later this year, Google aims to let people use Password Checkup in Chrome even if they aren't logged into a Google account.
Google isn't the but visitor to offer some kind of password-checking functionality. Paid password manager 1Password recommends changing weak or duplicated passwords and also offers Watchtower, which checks your logins against Troy Chase's Accept I Been Pwned database of more than 9 billion compromised accounts and flags any matches. And Apple announced yesterday that its adjacent version of Safari will have a countersign-monitoring tool that appears to piece of work similarly to Countersign Checkup.
But Google has an advantage in helping people with their passwords thanks to its massive calibration. And tools similar Password Checkup and the built-in password manager ladder up to a broader goal to brand online security easier for users.
"What I like security to be — and what I remember [Password Checkup] is a practiced example of — is, 'how do you make it easier for regular people to do the right thing?'" Google's VP of security applied science Royal Hansen told The Verge. "It'southward not nearly alerting you with more than and more problems," he said. "It'south about making information technology easier for you to practice, frankly, the most bones step."
Update June 23rd, 4:06PM ET : Added context about where Password Checkup is already available.
Source: https://www.theverge.com/2020/6/23/21299007/google-password-checkup-security
0 Response to "Use Same Password Again for Google"
Post a Comment