Managing online passwords

When it comes to online security, many users feel overwhelmed. Google's Mark Risher and Stephan Micklitz talk about taking these emotions into account when developing security measures

Mr Risher, you’re a Director of Product Management at Google working in the realm of Internet security. Have you ever fallen victim to an online scam?

Mark Risher: I can’t think of a concrete example right now, but I can only assume so. I make mistakes when surfing the web just like everyone else. For example, I recently entered my Google password on the wrong website. Fortunately, I’d installed the Chrome Password Alert plug-in, which pointed out my mistake. I then changed my password immediately, of course.

Stephan Micklitz, Director of Engineering at Google's Privacy and Security team: It’s only human. Once we've memorised a password, it can easily happen that we type it in without paying close enough attention to where we’re entering it.

Risher: We’d love to do away with passwords altogether, but unfortunately it’s not that easy.

'Many security measures happen behind the scenes.'

Mark Risher

What’s so bad about passwords?

Risher: They have a lot of drawbacks: they’re easy to steal but hard to remember, and managing our passwords can be tedious. Many users believe that a password should be as long and complicated as possible – even though this actually increases the security risk. Complicated passwords tempt users into using them for more than one account, leaving them even more vulnerable.

Micklitz: The less often you enter a password, the better. That’s why you shouldn’t repeatedly sign in and out of your accounts. Over time, this can result in users not paying attention to which web page they’re currently on, making things much easier for password thieves. Therefore, we advise our users to stay logged in.

My bank’s website logs me out automatically if I’ve been inactive for a few minutes.

Micklitz: Unfortunately, many companies are still following outdated rules. The advice to constantly log out comes from a time when most people went online in Internet cafés or shared a computer with others. Our research shows that the more times people enter their passwords, the more likely they are to be victims of a cyberattack. It’s therefore safer to simply activate the screen lock on your mobile phone or computer and to use a secure password.

Risher: That’s right. Unfortunately, there’s a lot of false or impractical advice in circulation, which can be confusing for many users. In a worst-case scenario, people are left feeling so uncertain that they simply give up: 'If it’s so hard to protect myself, then I might as well stop trying.' This is a bit like always leaving the front door open because you know there are burglars around.

Mark Risher
USB Security Key

Mark Risher is Google’s Director of Product Management for security and privacy. In 2010, he founded the cybersecurity startup, Impermium, which was acquired by Google in 2014. Since then, Risher has worked at the company’s headquarters in Mountain View, California. On the right: A security key as used in the Advanced Protection Programme. It's available for a small fee and can be used on a variety of websites.

How would Google ensure user security if passwords were abolished?

Risher: We already have many additional security measures running behind the scenes. A hacker could learn your password and your mobile phone number, and we’d still be able to guarantee 99.9% security for your Google Account. For example, we check which device or country someone is logging in from. If someone tries to log in to your account several times in a row with an incorrect password, this sets off alarms in our security systems.

Micklitz: We’ve also developed the Security Check-Up, which allows users to go through their personal security settings in their Google Account step by step. And with the Advanced Protection Programme, we go one step further.

What’s the idea behind this programme?

Micklitz: Originally, the programme was developed for people like politicians, CEOs or journalists who could be of particular interest to criminals. But now it’s available to anyone who wants extra online protection. Only those with a special USB or Bluetooth dongle can gain access to their protected Google Account.

Risher: We know from experience how effective this system is, as all Google employees use a security key to keep their company account secure. Since introducing this security measure, we haven’t had one single case of phishing that could be traced back to password confirmation. The token vastly improves Google Account security, because even if attackers know the password, they can’t access the account without the token. Generally, an online account can be hacked from anywhere in the world; this isn’t an option for accounts that are protected with a physical security token.

Micklitz: By the way, these security tokens can be used for many websites – not just for Google’s Advanced Protection Programme. You can buy them from us or other providers for a small charge. All the details can be found at g.co/advancedprotection.

'People sometimes find it difficult to assess risks on the Internet.'

Stephan Micklitz

In your opinion, what are the greatest dangers lurking on the Internet today?

Risher: One problem is the many lists of usernames and passwords that exist online. Our colleague Tadek Pietraszek and his team spent six weeks scouring the Internet and found 3.5 billion username and password combinations. This isn’t data from hacked Google Accounts – it was stolen from other providers. However, because many users use the same password for several accounts, these lists also pose a problem for us.

Micklitz: I see spear phishing as a huge problem. This is when an attacker crafts such a cleverly personalised message that it’s difficult for the victim to recognise fraudulent intent. We’re seeing hackers employ this method more and more – with success.

Risher: I agree with Stephan. Plus, spear phishing isn’t nearly as time-consuming as it may sound. It often only takes a few minutes to personalise a spam email. Hackers can use the information that users publish about themselves online. This is a problem with cryptocurrencies, for example: People who make it publicly known that they own 10,000 Bitcoin shouldn’t be surprised if this information attracts the attention of cybercriminals.

Micklitz: It would be like me standing in the middle of a marketplace with a megaphone, announcing my bank account balance. Who would do that? Nobody. But people sometimes find it difficult to assess risks on the Internet.

Are regular spam emails still a problem?

Risher: The linking up of devices and services is a big challenge for us. People aren't just using laptops and smartphones to go online – they’re also using TVs, smartwatches and smart speakers. Various apps run on all of these devices, offering hackers many different potential points of attack. And because many devices are now connected, hackers can use one device to try to access information stored on another. So we now have to address the question: how can we guarantee the safety of our users in spite of the multitude of new usage habits?

Micklitz: It starts with us asking ourselves which data we really need for each service – and which data is exchanged between services.

How do you use artificial intelligence to help protect users?

Micklitz: Google has been using artificial intelligence for quite some time now.

Risher: The technology was incorporated into our email service, Gmail, from the very start. Google even developed its own machine learning library called TensorFlow, which facilitates the work of programmers involved in machine learning. Gmail, in particular, benefits from TensorFlow, as it provides a valuable service when it comes to recognising typical patterns.

Can you explain how this pattern recognition works?

Risher: Let’s say we observe suspicious activity among several users who we can’t categorise. A self-learning machine can compare these events and, in the best-case scenario, detect new forms of fraud before they even start to spread online.

Micklitz: But there are limits: a machine is only as intelligent as the person using it. If I feed a machine with false or one-sided data, the patterns it recognises will also be false or one-sided. Despite all the hype surrounding artificial intelligence, its effectiveness always depends on the person using it. It’s up to the user to train the machine with high-quality data and to check the results afterwards.

Risher: Once, when I was working for a different email provider, we received a message from a bank employee in Lagos. At the time, there were a lot of fraudulent emails in circulation – supposedly coming from Nigeria. The man was complaining that his emails would always end up in the recipient’s spam folder, even though he worked for a reputable bank. This is a typical case of false generalisation within pattern recognition due to insufficient information. We were able to help solve this problem by changing the algorithm.

Photographs: Conny Mirbach

Cybersecurity

Learn how we keep more people safe online than anyone else in the world.

Learn more