The conventional wisdom about passwords—create long, complicated combinations of numbers, letters, characters, and change them frequently—has been wrong for years, security experts say. Now Google is jumping on the better-passwords bandwagon, with new data on American password practices from research survey partner Harris Insights & Analytics to support a new password security feature in all Google accounts today.
The Harris Poll, conducted in August, found that 75 percent of its 3,419 respondents from 12 states struggle to remember their passwords, and this leads them to make poor security choices such as reusing passwords (66 percent); sharing passwords (43 percent); using common passwords such as “abc123,” “Iloveyou,” and “Qwerty” (24 percent); and using easy-to-guess personal information such as birthdays and names of relatives (including themselves) as part of their passwords (59 percent).
Only 45 percent of respondents said they would change an account password after a breach, and only 11 percent said they would change a password after a breakup, despite 57 percent saying they’ve shared passwords with a significant other.
READ MORE ON PASSWORD SECURITY
Backing WebAuthn, tech giants inch closer to killing passwords
Shape’s Blackfish could stop password thieves cold
Apple ransom highlights danger of credential stuffing
What to do when your password gets reset
Passwords, hackable yet accessible, are poised to stay popular
How YubiKey could double-lock your online accounts
To help improve password security, Google plans to integrate by default features from the Chrome browser’s Password Checkup Extension into Google Accounts this month. (Google also announced on Wednesday that the company is extending its private-browsing Incognito mode to Google Maps, its browsing history auto-delete feature to YouTube; and the ability to delete voice activity to Google Assistant.)
The Password Checkup Extension, originally released in February 2019 and currently installed on more than 945,000 instances of Chrome, warns users when they reuse a password, when they have a weak or otherwise easy-to-guess password; and when one of their passwords has been compromised in a known third-party data breach.
Google automatically resets the passwords of accounts it knows have credentials in third-party data breaches, a tactic the company argues makes its users’ accounts 10 times more secure than if it left those accounts alone. While it can’t reset third-party accounts, it can warn users when those account credentials are documented in known data breaches—and encourage its users to employ best practices when choosing passwords.
“Having every employee change passwords every 90 days just costs the company time and money. It’s not making them safer. That’s why people hate their security team, and that’s why everybody’s writing their passwords on sticky notes. It’s a high-cost behavior that adds no value.”—Lance Spitzner, SANS Institute.
What it doesn’t do is let Google see your password, at least according to the original blog post about the extension. “Password Checkup was designed jointly with cryptography experts at Stanford University to ensure that Google never learns your username or password, and that any breach data stays safe from wider exposure,” wrote Jennifer Pullman, Kurt Thomas, and Elie Bursztein of Google’s security and anti-abuse research team.
Creating and frequently updating long passwords with complex strings of characters is no longer at the heart of corporate security training, says Lance Spitzner, a director of security awareness at the cybersecurity training organization SANS Institute.
“Password complexity is dead. Password expiration is dead,” he argues. “Having every employee change passwords every 90 days just costs the company time and money. It’s not making them safer. That’s why people hate their security team, and that’s why everybody’s writing their passwords on sticky notes. It’s a high-cost behavior that adds no value.”
To be sure, that’s a very different message from the conventional security wisdom of the not-too-distant past, but in 2017, the National Institute of Standards and Technology issued new guidelines on secure passwords. Spitzner summarized those guidelines as: long passwords that use multiple words or a complete sentence—and unique passwords for every online account you have, no matter how inconsequential.
Most password managers, including Google’s, automatically generate new, secure passwords on demand to help eliminate password reuse. Although most allow users to edit the auto-generated password before applying it to an account, Google’s and other password generators still default to the no longer recommended format of complicated strings of characters.
Google’s new security feature echoes those offered by independent password managers, says Richard Forno, director of the Graduate Cybersecurity Program at the University of Maryland at Baltimore County, and that’s “a good thing,” given that Google has billions of users, he says.
“If it allows users to create more random passwords and store them, that’s a great thing just on the basis of reusing passwords across systems and different categories of systems,” he says. But he warns that consumers may see a lengthy lag time between how they treat their personal passwords and what their employers mandate them to do.
In other words, you can still expect to have your computer at work demand that you change your password every three months, regardless of whether the updates improve the computer’s security.
“Military [operations], corporations, and government [agencies] are slow to change,” Forno says. “But I think this will allow people to rethink their password practices generally.”
Correction, October 2 at 1:50 p.m. PST: Google’s password checkup is available today.