We're sharing tips and tricks for getting the most out of Google’s Password Manager
Why password managers are your safety net during a data breach
We're sharing tips and tricks for getting the most out of Google’s Password Manager
Author Archives: Mark Risher
We're sharing tips and tricks for getting the most out of Google’s Password Manager
A simpler and safer future — without passwords
You may not realize it, but passwords are the single biggest threat to your online security – they’re easy to steal, they’re hard to remember, and managing them is tedious. Many people believe that a password should be as long and complicated as possible – but in many cases, this can actually increase the security risk. Complicated passwords tempt users into using them for more than one account; in fact, 66% of Americans admit to using the same password across multiple sites, which makes all those accounts vulnerable if any one falls.
In 2020, searches for “how strong is my password” increased by 300%. Unfortunately, even the strongest passwords can be compromised and used by an attacker – that’s why we invested in security controls that prevent you from using weak or compromised passwords.
At Google, keeping you safe online is our top priority, so we continuously invest in new tools and features to keep your personal information safe, including your passwords.
On World Password Day, we’re sharing how we are already making password management easier and safer, and we’re providing a sneak peek at how our continued innovation is creating a future where one day you won’t need a password at all.
One of the best ways to protect your account from a breached or bad password is by having a second form of verification in place – another way for your account to confirm it is really you logging in. Google has been doing this for years, ensuring that your Google Account is protected by multiple layers of verification.
Today we ask people who have enrolled in two-step verification (2SV) to confirm it’s really them with a simple tap via a Google prompt on their phone whenever they sign in. Soon we’ll start automatically enrolling users in 2SV if their accounts are appropriately configured. (You can check the status of your account in our Security Checkup). Using their mobile device to sign in gives people a safer and more secure authentication experience than passwords alone.
We are also building advanced security technologies into devices to make this multi-factor authentication seamless and even more secure than a password. For example, we’ve built our security keys directly into Android devices, and launched our Google Smart Lock app for iOS, so now people can use their phones as their secondary form of authentication.
Keeping Your Passwords Safer Everywhere
For as long as passwords remain a part of your digital life, through the apps you use and the websites you access, we will continue to innovate and develop new products and technologies that make managing them easy, and most importantly secure by default.
Our Password Manager, built directly into Chrome, Android and now iOS, uses the latest security technology to protect your passwords across all the sites and apps you use. It makes it easier to create and use complex and unique passwords, without the need to remember or repeat them. Every time you go to a site or sign in to an app while logged into your Google Account, Password Manager can automatically populate your secure password. Password Manager is also integrated into our single-click Google Security Checkup — which tells you if any of your passwords have been compromised, if you are reusing passwords across different sites, and the strength of your passwords. We also automatically inform you if your password has been compromised, so you can make a quick and easy change to keep your information safe.
We’ve recently launched our new Password Import feature which allows people to easily upload up to 1,000 passwords at a time from various third party sites into our Password Manager (for free). By taking this step you can ensure that all of your passwords are protected by our advanced security and privacy technology.
Features like Password Import, Password Manager and Security Checkup — combined with authentication products like Sign-in with Google — reduce the spread of weak credentials. All are examples of how we're working to make your online experience safer and easier—not just on Google, but across the web.
One day, we hope stolen passwords will be a thing of the past, because passwords will be a thing of the past, but until then Google will continue to keep you and your passwords safe. Visit our Safety Center to learn all the ways we’re making every day safer online.
Source: The Official Google Blog
Furthering our support for election security
Last year at the start of the U.S. 2020 election season, we announced our collaboration with Defending Digital Campaigns (DDC), a nonprofit and nonpartisan organization, to give any eligible Federal campaign access to free Titan Security Keys—the strongest form of two-factor authentication. This collaboration is a part of our Advanced Protection Program, which protects high-risk individuals who have access to high visibility and sensitive information, such as election officials, campaigns, activists and journalists. In the lead up to the 2020 elections, DDC distributed more than 10,000 Titan Security key bundles to more than 140 U.S. Federal campaigns.
Today we’re expanding our support for DDC to provide eligible campaigns and political parties, committees, and related organizations with knowledge, training, and resources to defend themselves from security threats—now at both the Federal and state level. Here’s how:
- Expanding security support to eligible state campaigns:We’re expanding our collaboration with DDC to include state campaign security support alongside our existing federal campaign efforts.
- Support virtual security training in all 50 states: To help spread awareness and educate all persons involved in the campaign ecosystem, we’re collaborating with DDC to bring non-partisan virtual security training to all 50 states by the end of 2021. These trainings are designed to inform and educate state campaign officials, staff and others in the political sector, to understand the basics of protecting their organizations, keeping their information safe, and using built-in and widely available security tools.
- Deploy an election security help desk and “best practices” knowledge base:We understand that security can be complex and that questions are inevitable. That’s why we will be supporting DDC to deploy a cybersecurity “help desk” to help eligible campaigns with cybersecurity-related questions and product implementation support. This will include, but not be limited to, support for our Advanced Protection Program and Titan Security Keys and other Google security products and services. DDC is also building out an online knowledge base to easily access security best practices, including steps to protect your accounts, frequently asked questions and more.
We continue to recommend that everyone associated with political campaigns enroll in our Advanced Protection Program, which is free, bundles the strongest Google Account security options together, and proactively protects against new and evolving threats. Advanced Protection is available for both personal and Workspace accounts—we recommend campaign members enroll both types of accounts in the program.
In addition to our continued work with DDC for campaigns, we’re also supporting a new cybersecurity training initiative for elected officials and their staff. Cybersecurity for State Leaders, driven by the National Cybersecurity Center and supported by Google, aims to educate state lawmakers and staff on ways to strengthen their defenses against digital attacks. The training will be conducted in all 50 states over the course of 2021, through a series of virtual seminars throughout the year.
Keeping everyone safe online remains our top priority and we look forward to continuing our work in 2021 to make sure campaigns and elected officials around the world stay safe online. Through our network of global Google Safety Engineering Centers (GSEC) we will also further expand our reach to bring Google’s strongest security protections to those who need it most around the world.
Source: The Official Google Blog
Helping you avoid COVID-19 online security risks
As people around the world are staying at home due to COVID-19, many are turning to new apps and communications tools to work, learn, access information, and stay connected with loved ones.
While these digital platforms are helpful in our daily lives, they can also introduce new online security risks. Our Threat Analysis Group continually monitors for sophisticated, government-backed hacking activity and is seeing new COVID-19 messaging used in attacks, and our security systems have detected a range of new scams such as phishing emails posing as messages from charities and NGOs battling COVID-19, directions from “administrators” to employees working from home, and even notices spoofing healthcare providers. Our systems have also spotted malware-laden sites that pose as sign-in pages for popular social media accounts, health organizations, and even official coronavirus maps. During the past couple of weeks, our advanced, machine-learning classifiers have seen 18 million daily malware and phishing attempts related to COVID-19, in addition to more than 240 million COVID-related spam messages.
To protect you from these risks, we've built advanced security protections into Google products to automatically identify and stop threats before they ever reach you. Our machine learning models in Gmail already detect and block more than 99.9 percent of spam, phishing and malware. Our built-in security also protects you by alerting you before you enter fraudulent websites, scanning apps in Google Play before you download, and more. But we want to help you stay secure everywhere online, not just on our products, so we’re providing these simple tips, tools and resources.
Know how to spot and avoid COVID-19 scams
With many of the COVID-19 related scams coming in the form of phishing emails, it’s important to pause and evaluate any COVID-19 email before clicking any links or taking other action. Be wary of requests for personal information such as your home address or bank details. Fake links often imitate established websites by adding extra words or letters to them—check the URL’s validity by hovering over it (on desktop) or with a long press (on mobile). Keep these tips handy and learn more at g.co/covidsecuritytips.
Use your company’s enterprise email account for anything work-related
Working with our enterprise customers, we see how employees can put their company’s business at risk when using their personal accounts or devices. Even when working from home, it’s important to keep your work and personal email separate. Enterprise accounts offer additional security features that keep your company’s private information private. If you’re unsure about your company’s online security safeguards, check with your IT professionals to ensure the right security features are enabled, like two-factor authentication.
Secure your video calls on video conferencing apps
The security controls built into Google Meet are turned on by default, so that in most cases, organizations and users are automatically protected. But there are steps you can take on any video conferencing app to make your call more secure:
If your meetings use short, numeric codes, turn on the password or PIN feature. The extra layer of verification will help ensure only the invited attendees gain access to the meeting.
When sharing a meeting invite publicly, be sure to enable the “knocking” feature so that the meeting organizer can personally vet and accept new attendees before they enter the meeting.
If you receive a meeting invite that requires installing a new video-conferencing app, always be sure to verify the invitation—paying special attention to potential imposters—before installing.
Install security updates when notified
When working from home, your work computer may not automatically update your security technology as it would when in the office and connected to your corporate network. It’s important to take immediate action on any security update prompts. These updates solve for known security vulnerabilities, which attackers are actively seeking out and exploiting.
Use a password manager to create and store strong passwords
With all the new applications and services you might be using for work and school purposes, it can be tempting to use just one password for all. In fact, 66 percent of Americans admit to using the same password across multiple accounts. To keep your private information private, always use unique, hard-to-guess passwords. A password manager, like the one built into Android, Chrome, and your Google Account can help make this easier.Protect your Google Account
If you use a Google Account, you can easily review any recent security issues and get personalized recommendations to help protect your data and devices with the Security Checkup. Within this tool, you can also run a Password Checkup to learn if any of your saved passwords for third party sites or accounts have been compromised and then easily change them if needed.
You should also consider adding two-step verification (also known as two-factor authentication), which you likely already have in place for online banking and other similar services to provide an extra layer of security. This helps keep out anyone who shouldn’t have access to your accounts by requiring a secondary factor on top of your username and password to sign in. To set this up for your Google Account, go to g.co/2SV. And if you’re someone who is at risk of a targeted attack—like a journalist, activist, politician or a high profile healthcare professional—enroll in the Advanced Protection Program, our strongest security offering, at g.co/advancedprotection.
Help your kids stay safe online
With schools closed around the world, kids are online more than ever before. You can help your kids learn how to spot scams with the educational material at Be Internet Awesome and within the interactive learning game, Interland. You can also use Family Link to create age-appropriate accounts, control your kids’ app downloads, and monitor their activity.
Our teams continue to monitor the evolving online security threats connected to COVID-19 so that we can keep you informed and protected. For more tips to help you improve your online security, visit our Safety Center.
Source: The Official Google Blog
Teaming up with Defending Digital Campaigns on election security
Last week, we shared an overview of how we’re equipping campaigns with security tools like Project Shield and supporting programs like the new Election Security and Information Project. We also just announced a major update of our Advanced Protection Program which will make it easier for members of campaigns to get our strongest level of Google Account security, in an instant.
Today is Safer Internet Day and we’re announcing a new partnership with Defending Digital Campaigns to provide federal campaigns access to free Titan Security Keys, the strongest form of two-factor authentication. Last year, the Federal Elections Commission granted special approval for DDC to offer cybersecurity services to presidential and congressional campaigns. We’re working with this bipartisan organization to help make all qualifying campaigns safer and make it easier for people to enroll in our Advanced Protection program.
Security keys aren’t the only thing campaigns can do to stay safer. Here are three things that any campaign can do to make their members, and their entire organizations, more secure right now.
Enroll in the strongest security offering
From candidates to canvassers, every member of a campaign should understand how to add extra layers of security and protect their information. We recommend everyone associated with political campaigns enroll in our Advanced Protection Program, which bundles all our strongest Google Account security options together. Advanced Protection is available for both personal and G Suite accounts and we recommend campaign members enroll both types of accounts in the program, which they can now enroll instantly with their Android or iPhone. Qualifying campaigns can also request a free physical security key as a backup via Defending Digital Campaigns.
Protect everyone, not just the name at the top of the ticket
Every member of a campaign needs to understand the basics of keeping their information safe. Of course that applies to candidates themselves, but it’s equally important for everyone else with access to campaign information. In fact, it might be more important to educate the vendors, consultants, and support staff because they may not think of themselves as at risk.
If you’re working on a political campaign we recommend that you enroll in the Advanced Protection Program. But, if you decide that’s not for you, these five security tips can strengthen your security in just a few minutes. For example, our research found that simply adding a recovery phone number to your Google Account can block up to 100 percent of automated bots, 99 percent of bulk phishing attacks, and 66 percent of targeted attacks. Campaigns can check out The Belfer Center’s Cybersecurity Campaign Playbook and their overview video for more extensive information.
Make sure someone is accountable for your campaign’s security
Campaigns and political committees should make sure someone at a senior level is responsible for implementing security best practices. You wouldn’t expect the employees of a bank to tolerate consultants with personal email accounts, staffers checking sensitive data on the family iPad, or vendors emailing documents back and forth. Political campaigns, despite often having more of a startup feel, shouldn’t tolerate these lax practices either.
It’s never too late for campaigns to take these simple steps, and much easier to dial up the defense than many people think.
Source: The Official Google Blog
Protecting our Google Docs and Drive Users
Protecting all Google users from viruses, malware, and other abusive content is central to user cyber-safety and sometimes we remove access to certain files in order to provide these protections.
On Tuesday, October 31, we mistakenly blocked access to some of our users’ files, including Google Docs. This was due to a short-lived bug that incorrectly flagged some files as violating our terms of service (TOS). The blocking raised questions in the community and we would like to address those questions here.
The Google Docs and Drive products have unparalleled automatic, preventive security precautions in place to protect our users from malware, phishing and spam, using both static and dynamic antivirus techniques. Virus and malware scanning is an industry best practice that performs automated comparisons against known samples and indicators; the process does not involve human intervention.
Tuesday’s bug caused the Google Docs and Drive services to misinterpret the response from these protection systems and erroneously mark some files as TOS violations, thus causing access denials for users of those files. As soon as our teams identified the problem, we removed the bug and worked to restore access to all affected files.
We apologize to our users for any inconvenience this incident caused and remain committed to offering high-quality systems that keep their content safe while fully securing their files.
Source: The Official Google Blog
Protecting our Google Docs and Drive Users
Protecting all Google users from viruses, malware, and other abusive content is central to user cyber-safety and sometimes we remove access to certain files in order to provide these protections.
On Tuesday, October 31, we mistakenly blocked access to some of our users’ files, including Google Docs. This was due to a short-lived bug that incorrectly flagged some files as violating our terms of service (TOS). The blocking raised questions in the community and we would like to address those questions here.
The Google Docs and Drive products have unparalleled automatic, preventive security precautions in place to protect our users from malware, phishing and spam, using both static and dynamic antivirus techniques. Virus and malware scanning is an industry best practice that performs automated comparisons against known samples and indicators; the process does not involve human intervention.
Tuesday’s bug caused the Google Docs and Drive services to misinterpret the response from these protection systems and erroneously mark some files as TOS violations, thus causing access denials for users of those files. As soon as our teams identified the problem, we removed the bug and worked to restore access to all affected files.
We apologize to our users for any inconvenience this incident caused and remain committed to offering high-quality systems that keep their content safe while fully securing their files.
Source: Drive
Protecting our Google Docs and Drive Users
Protecting all Google users from viruses, malware, and other abusive content is central to user cyber-safety and sometimes we remove access to certain files in order to provide these protections.
On Tuesday, October 31, we mistakenly blocked access to some of our users’ files, including Google Docs. This was due to a short-lived bug that incorrectly flagged some files as violating our terms of service (TOS). The blocking raised questions in the community and we would like to address those questions here.
The Google Docs and Drive products have unparalleled automatic, preventive security precautions in place to protect our users from malware, phishing and spam, using both static and dynamic antivirus techniques. Virus and malware scanning is an industry best practice that performs automated comparisons against known samples and indicators; the process does not involve human intervention.
Tuesday’s bug caused the Google Docs and Drive services to misinterpret the response from these protection systems and erroneously mark some files as TOS violations, thus causing access denials for users of those files. As soon as our teams identified the problem, we removed the bug and worked to restore access to all affected files.
We apologize to our users for any inconvenience this incident caused and remain committed to offering high-quality systems that keep their content safe while fully securing their files.
Source: Drive
Fighting phishing with smarter protections
Editor’s note: October is Cybersecurity Awareness Month, and we're celebrating with a series of security announcements this week. This is the third post; read the first and second ones.
Online security is top of mind for everyone these days, and we’re more focused than ever on protecting you and your data on Google, in the cloud, on your devices, and across the web.
One of our biggest focuses is phishing, attacks that trick people into revealing personal information like their usernames and passwords. You may remember phishing scams as spammy emails from “princes” asking for money via wire-transfer. But things have changed a lot since then. Today’s attacks are often very targeted—this is called “spear-phishing”—more sophisticated, and may even seem to be from someone you know.
Even for savvy users, today’s phishing attacks can be hard to spot. That’s why we’ve invested in automated security systems that can analyze an internet’s-worth of phishing attacks, detect subtle clues to uncover them, and help us protect our users in Gmail, as well as in other Google products, and across the web.
Our investments have enables us to significantly decrease the volume of phishing emails that users and customers ever see. With our automated protections, account security (like security keys) and warnings, Gmail is the most secure email service today.
Here is a look at some of the systems that have helped us secure users over time, and enabled us to add brand new protections in the last year.
More data helps protect your data
The best protections against large-scale phishing operations are even larger-scale defenses. Safe Browsing and Gmail spam filters are effective because they have such broad visibility across the web. By automatically scanning billions of emails, webpages, and apps for threats, they enable us to see the clearest, most up-to-date picture of the phishing landscape.
We’ve trained our security systems to block known issues for years. But, new, sophisticated phishing emails may come from people’s actual contacts (yes, attackers are able to do this), or include familiar company logos or sign-in pages. Here’s one example:
Attacks like this can be really difficult for people to spot. But new insights from our automated defenses have enabled us to immediately detect, thwart and protect Gmail users from subtler threats like these as well.
Smarter protections for Gmail users, and beyond
Since the beginning of the year, we’ve added brand new protections that have reduced the volume of spam in people’s inboxes even further.
- We now show a warning within Gmail’s Android and iOS apps if a user clicks a link to a phishing site that’s been flagged by Safe Browsing. These supplement the warnings we’ve shown on the web since last year.
- We’ve built new systems that detect suspicious email attachments and submit them for further inspection by Safe Browsing. This protects all Gmail users, including G Suite customers, from malware that may be hidden in attachments.
- We’ve also updated our machine learning models to specifically identify pages that look like common log-in pages and messages that contain spear-phishing signals.
Safe Browsing helps protect more than 3 billion devices from phishing, across Google and beyond. It hunts and flags malicious extensions in the Chrome Web Store, helps block malicious ads, helps power Google Play Protect, and more. And of course, Safe Browsing continues to show millions of red warnings about websites it considers dangerous or insecure in multiple browsers—Chrome, Firefox, Safari—and across many different platforms, including iOS and Android.
Layers of phishing protection
Phishing is a complex problem, and there isn’t a single, silver-bullet solution. That’s why we’ve provided additional protections for users for many years.
- Since 2012, we’ve warned our users if their accounts are being targeted by government-backed attackers. We send thousands of these warnings each year, and we’ve continued to improve them so they are helpful to people. The warnings look like this.
- This summer, we began to warn people before they linked their Google account to an unverified third-party app.
- We first offered two-step verification in 2011, and later strengthened it in 2014 with Security Key, the most secure version of this type of protection. These features add extra protection to your account because attackers need more than just your username and password to sign in.
We’ll never stop working to keep your account secure with industry-leading protections. More are coming soon, so stay tuned.
Source: The Official Google Blog
The geeky detective-work that protects you online, automatically
Using a strong password without recycling it on different accounts, exchanging personal information only on encrypted sites, keeping your software up to date: these tried-and-true tips have never been more important for staying safe online. But this Safer Internet Day, we wanted to give some insight into how our systems help keep you safe, automatically—on Google and beyond. No switches to flip or buttons to click, these protections always have your back.
Outsmarting phishing to protect your Google Account
Sometimes, email may look like it came from someone you trust, but it might be a wolf in sheep’s clothing. This spammy message is trying to phish you—trick you into giving away your personal information—and then hijack your account.
Spam emails take advantage of your trust in friends or businesses to try to infect your computer or steal your username and password
Luckily, we’ve built lots of smart armor into Gmail to automatically zap scammy messages before you ever see them. Our systems anonymously examine thousands of signals across all of Gmail—where a message originated, to whom it’s addressed, how often the sender has contacted the recipient in the past—to determine which messages are safe, and which ones aren’t. We then filter the vast majority of this nasty stuff out; the average Gmail inbox contains less than 0.1 percent spam.
Still, across the internet, the bad guys can be pretty clever. For example, a fraudster could steal your username and password because you accidentally shared them on an especially deceptive scam site. But, even if attackers have your credentials, our systems are still able to block them and keep your account safe, something we did hundreds of millions of times in 2016. That's because we aren’t just making sure you’ve typed the right password. We also look for subtler signals to confirm the sign-in doesn’t look funky: Are you using the same device that you usually use? Are you in a familiar location, or somewhere far away that you haven’t been to before? We want to make sure the sign-in attempt doesn’t resemble other concerning sign-in patterns that may be on our radar at any given time.
The secret sauce is the systems that detect these subtler signals—clues—billions and billions of times every day to help paint the picture of a safe log-in. Think of these like Sherlock Holmes’ magnifying glass...if it were powered by a few data centers. The clues scammers may not even know they’re leaving behind help us inspect each new log-in attempt and compare it with the picture of a safe log-in that our systems have painted based on billions and billions of other log-ins. If something looks fishy, we’ll require more verifications designed to thwart bad guys, send notifications to your phone, or email you so you can quickly act on anything that looks unfamiliar.On the web, on Android: we've got you covered
A Safe Browsing warning: red means stop!
We use similar security tools to help make the web and a huge variety of Android apps and devices safer too.
For example, have you ever clicked a link and seen a red warning, like this? That’s Safe Browsing at work, strongly suggesting you should avoid visiting a site because it probably contains “badness,” like malware or a phishing trap. Similar to the way we crawl the web to deliver search results, Safe Browsing crawls for bad stuff that might be harmful to you or your device. It’s always hard at work: We show tens of millions of Safe Browsing warnings every week on more than 2 billion devices, across a variety of web browsers.
For our Android users, we developed an “app analyzer” that builds on Safe Browsing’s technology to specifically hunt for dangerous Android apps, wherever they may be, and warn you before you install one. If an app doesn’t pass the app analyzer test, it won’t be allowed in Google Play. An additional protection, Verify Apps, runs directly on Android devices, proactively checking more than 6 billion apps and 400 million devices every day. It checks in when you install an app, returns frequently to make sure everything looks safe, and if something is amiss, can remove the app from afar.
Detecting the obvious badness—sites well-known for phishing scams, ransomware that locks your device until you pay a fraudster—is relatively easy. But the stealthier badness is only detectable by measuring billions of signals across sites and apps. If this sounds similar to the way we approach spam protections on Gmail or suspicious logins into Google, that’s because it is! The ability to understand badness on a large scale enables us to find the clues bad guys don’t even know they were leaving behind.
We have a responsibility to keep you safe on Google, and help make the web more secure as well. We’re constantly improving our automatic protections, but we want to give you the controls to adjust your security settings as well. With that in mind, celebrate Safer Internet Day by taking our two-minute Security Checkup to protect your account and adjust your security settings. You can also learn more about other ways to keep your Google Account secure at privacy.google.com.
