Google's Gmail Warning: Change Every Password That's On This List
Google has confirmed that attacks on Gmail users are now surging and are behind 37% of successful intrusions. This means that password theft is allowing hackers to gain access to accounts, including infostealer malware, which is increasingly being used to enable intrusions using stolen credentials.
The company warns users to upgrade the security on their accounts by always using a passkey or "Sign in with Google" instead of a password. This means never using a linked or popup sign-in window and only using strong, unique passwords and enabling a non-SMS form of two-factor authentication (2FA).
However, most users are yet to add passkeys, even though unlike passwords, which can be guessed, stolen, or forgotten, passkeys are unique digital credentials tied to a user's device. Hive Systems warns that "password reuse, short character lengths, and weak complexity remain some of the easiest ways attackers gain access to systems."
A Guide to Creating Strong Passwords
The team at Hive Systems has listed "time-to-crack estimates for passwords of various lengths and character sets." According to their research, a combination of upper and lowercase letters, numbers, and symbols is best. However, only if it's eight characters or more.
But in the real world, an attacker does not start from scratch. The times to crack are much shorter — sometimes no time at all. It doesn’t matter how long or complex your password. If it’s reused and has breached or been stolen, then all accounts with that same password will be at risk.
Take a look at NordPass's top-200 most common passwords, a horror list now in its sixth year of shaming us all into better password hygiene. If your password makes the list or is anything like one of those on the list, then change it now — right now.
Assembling the Data
NordPass analyzed passwords stolen by malware or exposed in data leaks to assemble the data. According to their research, if your password makes the list or is anything like one of those on the list, then change it now.
Crafting a Good Password
Better still, use a standalone (not browser-based) password manager to create strong, unique passwords for all accounts. The combination of NordPass and Hive Systems reports should explain exactly how to craft a good password.
Protecting Your Google Account
Google's in-house account audit is a great way to check who has "copies of that key." Android Police reminds users to run the Security Checkup tool while logged in to check for any suspicious activity.
"Carefully review this list," Android Police suggests. "Do you see a computer, tablet, or phone you don’t own or have long since gotten rid of? If so, click it and select Sign out." And if you see your phone listed multiple times, it could just be that you're using different web browsers.
This checkup is worthwhile for a host of other reasons as well. As Google says, "to protect your Google Account, we strongly recommend following the steps below regularly."
The Need for Robust Account Security
The fact that AI platform scans now access our most sensitive data stores in the interests of convenience and potential trial productivity gains makes robust account security even more critical.
I have warned before that Gmail users need to be mindful of the raft if new Gemini upgrades coming to their inboxes. Whether it’s AI-fueled relevancy search, summaries or smart replies, once an AI platform is rifling through your content you need to be very certain there are no weak entry points being left behind.
Privacy Concerns with ChatGPT
Mashable warned post OpenAI's announcement that "there are, of course, privacy concerns here. Some of us have been using Gmail for a decade or more, meaning a lot of personal info can be hidden in there. Giving over access of that to a chatbot that vacuums up data by design might be a bridge too far for some users."
Futurism goes even further, saying "it’s staggeringly easy for hackers to trick ChatGPT into leaking your most personal data," adding that "this is very, very bad."