Tag Archives: safety and security

Enroll in the new Advanced Protection Program in an instant

We aim to secure all of our users with simple, powerful and personalized protections. The Advanced Protection Program helps high-risk users—like members of political campaign teams, journalists, activists, executives, employees in regulated industries such as finance or government—shield themselves from targeted, sophisticated attacks on their Google Accounts. We’ve helped protect these types of people for many years: we introduced our government-backed attack warnings in 2012, and from July to September 2019, we sent more than 12,000 warnings to users around the world.

People consistently tell us the Advanced Protection Program has been a leap forward for their security, but we haven’t made it easy enough to enroll. Today, we’re simplifying Advanced Protection while maintaining the same high level of security protections. Now, if you have an Android phone or iPhone, you can sign up and enroll into the program with just a few clicks. Here’s how it works.

Advanced Protection, simplified

Advanced Protection offers added protection from phishing attacks because the program requires exclusive use of security keys. According to a study we released last year, people who exclusively used security keys to sign into their accounts never fell victim to targeted phishing attacks. But, using security keys can be a hurdle for users: they can be costly, and acquiring and keeping track of two extra pieces of hardware is a burden.

Everything becomes much simpler when the things we’re already carrying around—our smartphones—have a built-in security key. That’s been the case on Android since last year, and starting today you can activate a security key on your iPhone as well. Millions of people around the world—many high-risk users among them—use iPhones, and this new capability makes Advanced Protection significantly easier for them. To learn more about using your iPhone’s security key, check out this post on our security blog.
Google's Smart Lock app

Approving the sign-in to a Google Account via Google's Smart Lock app

Getting started with Advanced Protection

You can enroll in Advanced Protection with a few clicks if you have a phone running Android 7+ or iOS 10.0+. 

Advanced Protection enrollment for Android users

Advanced Protection enrollment for Android users

With attacks on the rise, and many major events on the horizon this year like the U.S. elections in November, the Advanced Protection Program offers a simple way to incorporate the strongest account protections that Google offers. Enroll now.

Putting you in control: our work in privacy this year

Every day, hundreds of people at Google work on building the best privacy protections into our products. In 2019, we made a renewed push around privacy tools, controls and engineering talent, an investment that is already making a difference—nearly 20 million people around the globe visit their Google Account daily, accessing security, privacy and ad settings. As a vice president of product for privacy, I look forward to supporting this work more in my new role leading Google's strategy on building world class privacy tools. Here’s a look at what we did in 2019 in this important area. 

Keeping your data private and secure

We’re committed to ensuring that our products meet user expectations around data sharing and data security. This year, we used findings from Project Strobe—an internal review of how third parties can request access to your Google account and Android device data—to implement new policies across Gmail, Android, Chrome and Drive to better protect your data and give you improved controls over the third parties to whom you grant access. We built Password Checkup, which automatically checks the security of all of your saved passwords, tells you if they’ve been compromised, and offers personalized help. Password Checkup started as a standalone Chrome extension, but it was so useful—downloaded more than a million times—that we built it into your Google Account’s password manager. We also introduced the Titan M security chip in Pixel 3a andPixel 4 to help secure the operating system and your most sensitive on-device data.

Simpler controls in Google products

We've built tools to give you control over your data, easily accessible directly in our various products. This year, we expanded incognito mode across our apps, including Google Maps on Android and iOS, and we launched various auto-delete tools. We also put privacy controls at the forefront of Android settings, and rolled out simple voice commands so you can manage your privacy settings while using the Assistant by saying something like “Hey Google, delete everything I said to you last week.” All these tools make it easier for you to control what information is saved in your Google Account, and for how long.

Investing in privacy engineering

Our significant investment in privacy engineering and research helps improve our own products, as well as everyone’s overall experience online. In May, we opened the Google Security Engineering Center, our engineering privacy hub, where teams are building tools to keep users’ data safe. And for years, our research teams have been building privacy-preserving technologies like federated learning and differential privacy. These technologies provide smart, helpful experiences—like showing you how busy a restaurant is in Maps without identifying the individuals that visited it. In 2019, weopen sourced the differential privacy library that powers some of our core products and introducedTensorflow Privacy, Tensorflow Federated and Private Join and Compute to help other organizations implement these kinds of technologies. And in August, Chrome introduced the Privacy Sandbox and committed to restricting secretive user-tracking efforts such as “fingerprinting,” with the goal of safeguarding user privacy while keeping ad-supported content accessible on the web.

The year ahead in privacy regulation

This is the second year of GDPR in Europe and we invested significantly ahead of its implementation to upgrade our systems and policies, to ensure that we and our partners can comply with its requirements. 


In the U.S., we’ve continued to advocate for strong federal privacy legislation and published a regulatory framework drawn from various privacy frameworks around the world and our own experience. We continue to believe this is the best way to provide safeguards to U.S. users, give businesses clear rules of the road, and avoid a patchwork of conflicting requirements and exemptions. 


Like many businesses, we’ve been working to comply with the requirements of the California Consumer Privacy Act (CCPA), coming into effect on January 1, 2020. The CCPA will require businesses to disclose how they use people’s data, offer opt-outs of data sales, and give individuals rights around accessing and deleting their data. We’re committed to putting its requirements into practice and have invested in our systems to make necessary changes. 


We’ve offered a range of tools for users to access, manage and delete their data like Download your data and Google Account globally for years, so we’re encouraged to see these practices become more widely adopted and codified into law in California. And while we never sell your personal information to anyone, we do let you control how your information is used, including for personalized ads. As we did with GDPR, we’ve made our CCPA data controls and tools available to all users globally, not just in California. Last month, we also introduced Restricted Data Processing, which will allow advertisers, publishers and partners to restrict how data is used on our advertising products, and help them as they work to comply with CCPA. Publisher partners can also easily implement this kind of limited processing for their users globally. Of course, we’ll continue to follow developments around CCPA and ensure we’re taking appropriate steps if new regulatory guidance emerges. 


Rather than just talk about privacy, we’ve spent this year building real tools and protections—they’re already available and used by millions of people. I’m proud of all this, but I also know that our work to build the best privacy protections into the products you use is never done. I look forward to sharing even more with you in the coming months.

How Google and YouTube are working to protect the 2020 U.S. Census

Next year, as it has done every decade since 1790, the U.S. will carry out its constitutional duty to count the population of the United States. In 2020, for the first time, the census will offer individuals the option of completing the census online, in addition to completing it by mail or phone. With over 70 percent of U.S. households using the internet at home, and 80 percent using smartphones, this new format will allow more people to participate in the census next year. 

Yesterday, U.S. Senators Brian Schatz (D-Hawaii) Lisa Murkowski (R-Alaska), and 41 of their Senate colleagues introduced a bipartisan resolution to ensure the census count is fair and accurate, and to urge participation by everyone, and Google is a strong supporter of the resolution.

To support the new online option, we’re working to connect people with useful and high-quality information about the census.  Building upon our ongoing work to protect the integrity of information and civic processes, this past March we established our 2020 U.S. Census Taskforce, a team to support the operations and security of the 2020 Census across Google and YouTube. Its primary objective is to prevent bad actors from abusing our services to spread misinformation, or to conduct fraudulent activity around the census such as phishing or other scams. We’ll provide regular updates on our efforts to the Census Bureau and other relevant organizations. Here's a look at some of the work we're doing on this front.

YouTube policies

YouTube expanded its existing deceptive practices policy to explicitly cover the census process. Videos and comments that aim to misinform viewers about the time, means or eligibility requirements for participating in the census are not allowed on YouTube.

Policies for ads on our platforms

Our policies already prohibit ads that contain misleading uses of official government sites or agency names, or attempt to mimic the layout and design of an official government agency site. Last month we clarified this policy to explicitly prohibit ads featuring incorrect information about how to participate in the census.  

Security protections for Gmail and Chrome

Every day, Gmail blocks more than 100 million phishing emails and Google Safe Browsing helps protect more than 4 billion devices against dangerous sites. Our team is working to ensure that legitimate emails from the Census Bureau are delivered, and to block phishing attempts (such as attempts to drive users to fake census websites, or to hand over personal information or account information). Security tools like Safe Browsing in Chrome are turned on by default, and can warn people of compromised sites related to the census.

Access to authoritative information on Search

Search is designed to surface relevant results from the most authoritative sources available. As part of our efforts to tackle disinformation and stay ahead of the malicious actors that propagate it, we’re improving our systems and elevating authoritative information, particularly for important areas like civics and news.

Engagement with partner organizations

We’ll share actionable information with other companies, law enforcement and the U.S. Census Bureau to help investigate, identify and resolve relevant issues. The U.S. Census Bureau is joining the YouTube Trusted Flagger program so it can augment our efforts by quickly notifying YouTube of census-related content that violates our policies. 

Transparency for government information on Play

To promote transparency about the sources of government information communicated through apps on the Google Play Store, a recent policy update now requires apps that communicate government information but are not affiliated with a government entity to provide users the source(s) of this information. Census partners will need to provide the sources of any census related information they provide in their app and make clear the nature of their relationship with the census.

As other countries make a similar shift to an online census, we hope the work we’re doing for the 2020 Census in the United States will be a strong foundation on which to build.

You can learn more about the count by visiting the U.S. Census Bureau’s official website.

Better password protections in Chrome

Many of us have encountered malware, heard of data breaches, or even been a victim of phishing, where a site tries to scam you into entering your passwords and other sensitive information. With all this considered, data security has become a top concern for many people worldwide. Chrome has safety protections built in, and now we're expanding those protections further. 

Chrome warns when your password has been stolen

When you type your credentials into a website, Chrome will now warn you if your username and password have been compromised in a data breach on some site or app. It will suggest that you change them everywhere they were used.

Keyword Blog - breach detection.png

If your credentials were compromised, we recommend to change them immediately.

Google first introduced this technology early this year as the Password Checkup extension. In October it became a part of the Password Checkup in your Google Account, where you can conduct a scan of your saved passwords anytime. And now it has evolved to offer warnings as you browse the web in Chrome. 

You can control it in Chrome Settings under Sync and Google Services. For now, we’re gradually rolling this out for everyone signed in to Chrome as a part of our Safe Browsing protections.

Phishing protection in real time

Google’s Safe Browsing maintains an ever-growing list of unsafe sites on the web and shares this information with webmasters, or other browsers, to make the web more secure. The list refreshes every 30 minutes, protecting 4 billion devices every day against all kinds of security threats, including phishing.

Graph.png

Safe Browsing list has been capturing an increasing number of phishing sites.

However, some phishing sites slip through that 30-minute window, either by quickly switching domains or by hiding from our crawlers. Chrome now offers real-time phishing protections on desktop, which warn you when visiting malicious sites in 30 percent more cases. Initially we will roll out this protection to everyone with the “Make searches and browsing better” setting enabled in Chrome. 

Expanding predictive phishing protections

If you're signed in to Chrome and have Sync enabled, predictive phishing protection warns you if you enter your Google Account password into a site that we suspect of phishing. This protection has been in place since 2017, and today we’re expanding the feature further.

Now we'll be protecting your Google Account password when you sign in to Chrome, even if Sync is not enabled. In addition, this feature will now work for all the passwords you store in Chrome’s password manager. Hundreds of millions more users will now benefit from the new warnings.

Keyword Blog - phishing.png

Chrome will show this warning when a user enters their Google Account password into a phishing page.

Sharing your device? Now it’s easier to tell whose Chrome profile you’re using 

We realize that many people share their computers or use multiple profiles. To make sure you always know which profile you’re currently using—for example, when creating and saving passwords with Chrome’s password manager—we’ve improved the way your profile is featured.

On desktop, you’ll see a new visual representation of the profile you’re currently using, so you can be sure you are saving your passwords to the right profile. This is a visual update and won’t change your current Sync settings. We’ve also updated the look of the profile menu itself: it now allows for easier switching and clearly shows if you are signed in to Chrome or not.

A3.gif

The new sign-in indicator.

From Munich with love

Many of these technologies were developed at the Google Safety Engineering Center (GSEC), a hub of privacy and security product experts and engineers based in Munich, which opened last May. GSEC is home to the engineering teams who build many of the safety features into the Chrome browser. We’ll continue to invest in our teams worldwide to deliver the safest personal browser experience to everyone, and we look forward to bringing more new features to strengthen the privacy and security of Chrome in 2020. 

All these features will be rolled out gradually over the next few weeks. Interested in how they work? You can learn more on Google Security blog.


Updates to Incognito mode and your Timeline in Maps

People turn to Google Maps to make their lives easier—whether it's getting tips and recommendations tailored to your daily commute, or knowing when your favorite restaurants, grocery stores and places may be the most crowded so you can avoid a long wait in line. Handy tools like this are improved by Location History–when you turn it on, this optional setting helps make Maps more useful for everyone, as well as personalized to your needs.


Throughout this year, we've focused on making it easier to control, manage and delete your Location History information. Location History is off by default, and you can choose to delete all or part of your history automatically when you turn it on. We introduced auto-delete controls so you can choose to keep only three or 18 months’ worth of data—anything older than that will be automatically deleted. Your Data in Maps lets you quickly access your Location History and other privacy controls with just a few taps. And on Android, Incognito mode on Google Maps stops searches or places you navigate to within Maps from being saved to your Google Account.


Today, we have two updates: Incognito mode is rolling out on Google Maps for iOS today, and bulk delete in Timeline will arrive on Android next month.


Incognito mode

Incognito mode on iOS works the same way it does on Android. While in Incognito mode, the places you search for or navigate to won’t be saved to your Google Account and you won’t see personalized features within Maps, like restaurant recommendations based on dining spots you’ve been to previously. Using Incognito mode on your phone will not update your Location History, so the places you go won’t be saved to your Timeline.


incognito_ios

Bulk delete in Timeline 

Your Timeline is a tool that uses your Location History to help you easily remember places and routes you’ve visited–and on Android, share them with friends. With bulk delete, you can quickly find and delete multiple places from your Timeline and Location History all at once. You’ll still have the ability to delete all or part of your Timeline by date range from your Location History settings. 


bulk_delete_v2

How Location History improves Google Maps

We’re committed to providing simple, easy-to-use tools to manage your Location History—as well as clearly explaining how it makes products more useful. Scroll through the images below to learn more about Google Maps features made more helpful by Location History.


Stay up to date on your Location History settings

It’s our goal to help you stay informed about your Location History. If you’ve chosen to turn Location History on, you’ll receive periodic email reminders that let you know what data you’re saving, and ways you can manage it. 


To learn more about Location History and how location works across Google, visit ourpolicy page


Source: Google LatLong


Protecting users from government-backed hacking and disinformation

Google's Threat Analysis Group (TAG) works to counter targeted and government-backed hacking against Google and our users. This is an area we have invested in deeply for over a decade. Our daily work involves detecting and defeating threats, and warning targeted users and customers about the world’s most sophisticated adversaries, spanning the full range of Google products including Gmail, Drive and YouTube.

In the past, we’ve posted on issues like phishing campaigns, vulnerabilities and disinformation. Going forward, we’ll share more technical details and data about the threats we detect and how we counter them to advance the broader digital security discussion.

TAG tracks more than 270 targeted or government-backed groups from more than 50 countries. These groups have many goals including intelligence collection, stealing intellectual property, targeting dissidents and activists, destructive cyber attacks, or spreading coordinated disinformation. We use the intelligence we gather to protect Google infrastructure as well as users targeted with malware or phishing.

Phishing

We’ve had a long-standing policy to send users warnings if we detect that they are the subject of state-sponsored phishing attempts, and have posted periodically about these before. From July to September 2019, we sent more than 12,000 warnings to users in 149 countries that they were targeted by government-backed attackers. This is consistent (+/-10%) with the number of warnings sent in the same period of 2018 and 2017.

govt backed phishing targets in q3 2019.png

Distribution of government-backed phishing targets in Q3 (Jul-Sep 2019)

Over 90 percent of these users were targeted via “credential phishing emails” similar to the example below. These are usually attempts to obtain the target’s password or other account credentials to hijack their account. We encourage high-risk users—like journalists, human rights activists, and political campaigns—to enroll in our Advanced Protection Program (APP), which utilizes hardware security keys and provides the strongest protections available against phishing and account hijackings. APP is designed specifically for the highest-risk accounts.

In the simple phishing example below, an attacker has sent a phishing email with a security alert lure from “Goolge” suggesting the user secure their account. The user clicks the link, enters their password, and may also get asked for a security code if they have two-factor authentication enabled, allowing the attacker to access their account.

sample gmail lure.png

Sample lure used to phish Gmail users

Threat detection

Last week at CyberwarCon, we presented analysis about previously undisclosed campaigns from a Russia-nexus threat group called “Sandworm” (also known as “Iridium”). It’s a useful example of the type of detailed threat detection work that TAG does. Although much of Sandworm’s activity targeting Ukraine and their attacks against the 2018 Winter Olympics have been covered publicly, some campaigns have not been reported. 

In December 2017, TAG discovered a series of campaigns from Sandworm attempting to deploy Android malware. The first campaign targeted users in South Korea, where Sandworm was modifying legitimate Android applications with malware. They then uploaded these modified apps to the Play Store using their own attacker-controlled developer accounts. During this campaign, Sandworm uploaded eight different apps to the Play Store, each with fewer than 10 total installs. 

malicious apps targeting users in south korea.png

Malicious apps targeting users in South Korea

We also identified an earlier September 2017 Android campaign from Sandworm where they used similar tactics and deployed a fake version of the UKR.net email app on the Play Store. This application had approximately 1,000 total installs. We worked with our colleagues on the Google Play Protect Team to write detections for this malware family, and eliminate it.

In November 2018, we saw evidence that Sandworm shifted from using attacker-controlled accounts to try and upload malicious apps to compromising legitimate developers. Throughout November, Sandworm targeted software and mobile app developers in Ukraine via spear phishing emails with malicious attachments. In at least one case, they compromised an app developer with several published Play Store apps—one with more than 200,000 installs. 

After compromising the developer, Sandworm built a backdoor in one of the legitimate apps and attempted to publish it on the Play Store. They did this by adding their implant code into the application package, signing the package with the compromised developer’s key, and then uploading it to the Play Store. However, the Google Play Protect team caught the attempt at the time of upload. As a result, no users were infected and we were able to re-secure the developer’s account.

Disinformation

TAG is one part of Google and YouTube’s broader efforts to tackle coordinated influence operations that attempt to game our services. We share relevant threat information on these campaigns with law enforcement and other tech companies. Here are some examples that have been reported recently that TAG worked on:

  • TAG recently took action against Russia-affiliated influence operations targeting several nations in Africa. The operations use inauthentic news outlets to disseminate messages promoting Russian interests in Africa. We have observed the use of local accounts and people to contribute to the operation, a tactic likely intended to make the content appear more genuine. Targeted countries included the Central African Republic, Sudan, Madagascar, and South Africa, and languages used included English, French, and Arabic. Activity on Google services was limited, but we enforced across our products swiftly. We terminated the associated Google accounts and 15 YouTube channels, and we continue to monitor this space. This discovery was consistent with recent observations and actions announced by Facebook. 

  • Consistent with a recent Bellingcat report, TAG identified a campaign targeting the Indonesian provinces Papua and West Papua with messaging in opposition to the Free Papua Movement. Google terminated one advertising account and 28 YouTube channels.

Partnerships

TAG works closely with other technology companies—including platforms and specialized security firms—to share intelligence and best practices. We also share threat information with law enforcement. And of course there are multiple teams at Google at work on these issues with whom we coordinate. 

Going forward, our goal is to give more updates on the attacks that TAG detects and stops. Our hope is that shining more light on these actors will be helpful to the security community, deter future attacks, and lead to better awareness and protections among high-risk targets.

Top tips for keeping data safe and secure on Android

Keeping data safe and private is a key priority for Android—and we’ve built a number of features to keep your device secure and give you control. As part of Cybersecurity Awareness Month, here are a few of these features, and our top tips for staying safe on your phone.


Warding off sneaky phishing attacks


Video explaining phishing attacks

Phishing is when a bad actor (we’re talking criminal here, not someone with low-rated movies on Rotten Tomatoes) tricks you into giving them your private information. Phishing can come in the form of a convincing email that looks like it’s from a company or co-worker you know, spam phone calls, and even text messages. 

Typically, these bad actors want to steal credit card numbers, social security numbers, or account login information (usually for financial gain or identity theft), but there may be other pieces of data they’re looking to steal.

Thankfully, you have three important features on your Android device that protect them from phishing:

  • Caller ID & Spam Protection: This shows you when a call you’re receiving may be coming from a suspected spammer.
  • Safe Browsing: This Chrome feature lets you know if you stumble across a website we know to be bad, and will help you quickly get to safety.
  • Phone-as-a-Security-Key: While other forms of on-device two-factor authentication, such as SMS one-time codes and push notifications, can be phished by a remote attacker, Android's built-in security key gives you the strongest form of Google account protection. 

Privacy controls you can depend on

Video explaining Android permissions and privacy controls.

How to protect your privacy with Android

On mobile devices, apps can access a lot of pertinent information such as contacts, web histories, location, photos, and more. This makes apps more useful—for example, helping you navigate to a desired destination in Maps—but you still want to make sure that you control who sees what. 

You can choose how their data is shared with apps and services through a number of different means:

  • Permissions: Apps have to ask you for permission to access certain types of data, like your photos or contacts. To grant or revoke permission, head to Settings > Privacy, if you are using Android 10. For Android Pie and below, head to Settings > Apps & notifications > Advanced > App Permissions.  
  • Location permissions: You can tell an app that it may only access your location when you’re actually using that app, as opposed to “all the time” or “never.”
  • Incognito mode in Google Maps: When you turn on Incognito mode in Maps, your Maps activity on that device, like the places you search for, won’t be saved to your Google Account and won’t be used to personalize your Maps experience.

Keeping bad apps off your device


ASL_ASAP Subheader_10.28.19_01.gif

Bad actors also use potentially harmful applications to steal information. Google Play Protect makes sure these applications stay off your device by automatically scanning your apps to make sure everything is safe. If you do encounter one of these bad apps, Google Play Protect will quickly alert you and instruct you on how to remove the app from your device. 

You can access Google Play Protect by going to the security section of your settings. If you ever want to run a scan manually, you can prompt it to do so there. When it comes to security and privacy on Android, you’re never alone. You have both the underlying, automatic protections and the personalized control you need to keep your information safe and private. Want to learn more? Visit our Security Center today. 

Source: Android


Keeping privacy and security simple, for you

Our goal has always been to create products that are simple, helpful, and intuitive. It’s no different with privacy and security: managing your data should be just as easy as making a restaurant reservation, or using Maps to find the fastest way back home.


Earlier this year, we started rolling out more ways for you to protect your data, including making our controls easier to access, new ways to use Google apps with Incognito mode, and options to automatically delete data like your Location History, searches, and other activity with Google.


Making these controls consistent across our core products will help them become more familiar, and we hope, even easier to use. Today, we’re sharing a few more updates on our progress toward this goal.

Incognito mode arrives in Maps

Incognito mode has been one of our most popular privacy controls since it launched with Chrome in 2008. We added it to YouTube earlier this year, and now we’re rolling it out in Google Maps.

Incognito mode in Maps

When you turn on Incognito mode in Maps, your Maps activity on that device, like the places you search for, won’t be saved to your Google Account and won’t be used to personalize your Maps experience. You can easily turn on Incognito mode by selecting it from the menu that appears when you tap your profile photo, and you can turn it off at any time to return to a personalized experience with restaurant recommendations, information about your commute, and other features tailored to you. Incognito mode will start rolling out on Android this month, with iOS coming soon.

Expanding Auto-delete to YouTube

In May, we announced that you could automatically delete your Location History and Web & App Activity, which includes things you've searched and browsed. We promised to bring this to more products, and now we're bringing Auto-delete to YouTube History. Set the time period to keep your data—3 months, 18 months, or until you delete it, just like Location History and Web & App Activity—and we’ll take care of the rest.
Auto-delete in YouTube History

Control your privacy with your voice in the Assistant

We’re adding new ways to easily understand and manage your data in the Assistant.

First, when you ask questions like “Hey Google, how do you keep my data safe?” the Assistant will share information about how we keep your data private and secure.

We’re also making it easier to control your privacy with simple voice commands. In the coming weeks, you’ll be able to delete Assistant activity from your Google Account just by saying things like “Hey Google, delete the last thing I said to you” or “Hey Google, delete everything I said to you last week.” You won't need to turn on any of these features—they will work automatically when you ask the Assistant for help. If you ask to delete more than a week's worth of data from your account, the Assistant will point you directly to the page in your account settings to complete the deletion. We’re rolling this out in English next week, and in all other languages next month.

Privacy actions in the Assistant

Strengthening your password security

Protecting your privacy online requires strong security, and that’s why we protect your data with one of the world’s most advanced security infrastructures.

Tools like ourSecurity Checkup help users by automatically detecting potential security issues with your Google Account and make it easy for you to add extra protections to keep your account safe, like removing old devices or unused apps that still have access to your account.

But we also want to help protect you across the internet, and a big part of that is helping you remember passwords for your other online accounts. With so many accounts, bad habits like using the same password across multiple services are common, and make all of your accounts as vulnerable as the weakest link. If someone steals your password once, then they could access your information across different services using that same password. 

Our password manager automatically protects your passwords across your different accounts, and today, in time for Cybersecurity Awareness Month, we’re making it much more powerful. We’re introducing the Password Checkup, a new feature that—with one click—tells you if any of your passwords are weak, whether you’ve reused them across multiple sites, or if we've discovered they've been compromised (for example, in a third-party data breach). Find more about the Password Checkup in this post.

Password Checkup

We’re constantly working to improve the products that billions of people use, right now. We’re also looking to the future so that teams at Google, and other organizations, can build new products and develop new engineering techniques, with privacy and security as core principles. In May, we opened the new Google Safety Engineering Center where we expect the number of privacy engineers to double by the end of 2019. We’ve also open-sourced technologies like our differential privacy library, Private Join and Compute and Tensorflow Federated. These will help any institution—from hospitals to governments to nonprofits—find better ways to gain insights from their data while protecting people's privacy.

As technology evolves, so do people's expectations for security and privacy. We look forward to building protections that aim to exceed those expectations, and will continue sharing regular updates about this work.

To stay secure online, Password Checkup has your back

We’ve all been there. Compromising security for convenience, we put our personal information at risk with poor password habits. One in four Americans use common passwords—like Abc123, Password1111, and [email protected] Sixty-six percent of Americans admit to using the same weak password across multiple sites, which makes all those accounts vulnerable. And every day, new data breaches publicly expose millions of usernames and passwords.

Until passwords become a thing of the past (trust us, we’re working on it), there’s a simple and secure solution: use a password manager, like the one built into your Google Account and Google Chrome. It generates strong, unique passwords for all your online accounts, auto-fills them as you sign in, and helps keep them safe in a central place. 

Today we’re launching the Password Checkup—a new feature built into our password manager that checks the strength and security of all of your saved passwords, tells you if we find they’ve been compromised (for example, in a breach), and gives you personalized, actionable recommendations when needed. 

A built-in password manager in your Google Account

A built-in password manager in your Google Account

With a single click, the Password Checkup tells you if: 


  • Your passwords have been compromised in a third-party breach. We’ve found more than 4 billion usernames and passwords that have been exposed due to third-party breaches. If any of these are yours, attackers could have these passwords and access your information. 

  • Your passwords are being reused across different sites. If someone gets access to a password that you reuse on multiple sites, they can use it to sign into your other accounts as well.

  • Your passwords should be strengthened. Weak passwords can be easily guessed by attackers, putting your personal information at risk. 

This is just one way we help protect you across the internet, not just on Google. The Password Checkup and the password manager are built into your Google Account, along with many other important privacy and security controls. To manage and check all of your saved passwords, you can go directly to passwords.google.com.

Coming soon: Always-on protection with Chrome

The Password Checkup is built from our Chrome extension launched earlier this year, which alerts you if your username or password has been compromised in a third-party data breach. The extension has been downloaded more than 1 million times, with nearly half of those users receiving a warning for a compromised password. Later this year, we’ll build Password Checkup technology directly into Chrome for everyone—so you get real time protection as you type your password without needing to install a separate extension. 

Features like Security Checkup, password manager and now the Password Checkup are all examples of how we're continuously working to make your online experience safer and easier—not just on Google, but across the web. So the next time you’re struggling to remember how many !’s and 1’s you added to your last password, we can help you with that. 

Build security into your next website

If you wanted to send a secret message by mail, would you rather send it in an envelope, or on a postcard? If you send it on a postcard, anyone who saw the postcard on its way to the recipient could read the message, or even make changes to what’s written.

Encryption on a website functions like an envelope, protecting information passed between your website and its visitors so it can’t be snooped on or changed. It’s what keeps your visitors safe from bad actors who may try to alter your site’s content, misdirect traffic, spy on open Wi-Fi networks, and inject malware or tracking. You achieve encryption on a website by installing an SSL (Secure Sockets Layer) certificate. This certificate ensures that the data passed between a web server and a browser remains private. 

To kick off National Cyber Security Awareness Month, we’re highlighting something that many website owners don’t realize—a single page that isn’t encrypted could potentially be used to gain access to the rest of the website. To avoid this, you need encryption on your entire website, not just for pages that are collecting credit card numbers or log-in info. Even unencrypted landing pages that redirect to an HTTPS page can pose risks. A single unprotected page can become a backdoor for bad actors to snoop on the rest of the site. How do you ensure your entire website is encrypted?

Use a top-level domain that is HSTS preloaded. 

The HSTS preload list tells modern browsers which websites  to only load over an encrypted connection. The fastest way to get on this list is to use a top-level domain that’s already on the HSTS preload list, such as .app.dev, or .page. Any website on those extensions gets the security benefits of HSTS preloading from day one, so all you need to do is install your SSL certificate.

Add your website to the HSTS preload list yourself. 

Websites can be individually added to the HSTS preload list by the website owner at hstspreload.org. Keep in mind this can be a slow process because the list is manually built into the browser. That means updates to the list are made as new browser releases come out, which can take months to occur for all browsers.

More people are creating websites than ever before, with 48 percent of the U.S. population planning to create one.  To help make building your secure website a bit easier, we’ve teamed up with some of our registrar partners, who are offering free SSL certificates during the month of October. We’re also kicking off a video series where existing creators will share their tips for launching a website. You can check them out at safe.page/buildsecurely.