Google States What Needs To Be Said

How about a quick show of hands? How many of you, reading this, administer a corporate email system? Hmmm, looks like practically all of you, except for that guy in the back of the corner wearing the yellow t-shirt. Okay, not sure why you’re here, but I appreciate you reading nonetheless. Okay, next question. How many of you have a password policy that makes you change your corporate  password every month, for example?

You hear that? That’s the sound of crickets chirping as practically each and every one of you tries to avoid eye contact with everyone else, because most of you probably haven’t changed the password to your personal email account since you first set it up. Now consider how many things are tied to that email account. Password resets for your bank accounts, your credit card accounts, your Facebook, Twitter, and blog accounts; personal email accounts are treasure troves of information for attackers. A compromised personal email account is the perfect information source for an ongoing attack against a user because so many other accounts can be compromised without the victim being aware. And the majority of users will not change their password unless a system prompts them to.

Which is why Google has started a campaign to get users of its popular Gmail service to start changing their password. A new banner will appear at the top of the Gmail web page on accounts with passwords that haven’t been changed in an unspecified, but likely, long time.

The link takes users to a page that offers advice for good password management, including

  1. Using a unique password for each unique account.
  2. Using a complex password.
  3. Advice for creating a password that is difficult to guess.
  4. Updating password recover information, and
  5. Tips for storing passwords when your memory just isn’t good enough.

And after all, with dozens if not a hundred or more unique accounts, who can keep unique passwords for each and every account in their head?

Google has also led the industry by offering two factor authentication to users at no charge, using SMS messages to their cell phones to provide the second factor, and offers it as an additional way to secure accounts on this same page. Whether you choose to take advantage of this or not, or even whether or not you use Gmail, changing your password for your personal email account is something that is probably long overdue.

They even included a pretty good, very short, video that talks about how to create strong passwords. It lasts less than a minute, is easy for non-techies to follow, and is completely neutral. Here is a link to that videoAs soon as you have changed your password, write up a nice little blurb to include in your weekly security tips to your users, reminding them to change the password on their personal accounts too. Remember this bit of security advice my dentist taught me years ago:

“passwords are like toothbrushes; you don’t want to share them with anyone, and you need to change them often.”

Written by Casper Manes

I currently work as a Senior Messaging Consultant for one of the premier consulting firms in the world, I cut my teeth on Exchange 5.0, and have worked with every version of Microsoft’s awesome email package since then, as well as MHS, Sendmail, and MailEnable systems. I've written dozens of articles on behalf of my past employers, their partners, and others, and I finally decided to embrace blogging and social media, so please follow me on Twitter @caspermanes if you enjoy my posts.

7 Comments

  1. Craig Sutherland · December 1, 2011

    Definitely true here, and good on Google for taking the initiative while at the same time not forcing users hands, that’s the appropriate way to get the message across without making your users sigh and go “Again?” I wonder how long that time frame is though, I’m willing to bet 90 days maybe.

  2. Gilbert Mason · December 2, 2011

    I haven’t encountered this message yet. Mine just says “Google Buzz is going away, but your posts are yours to keep. Learn more Hide”

    I commend Google, particularly Gmail, for this sort of public advisory. Gmail has been the company’s “jewel” for many years now and it should protect what it considers as its most important product to date (next of course to its unbeatable search engine platform).

    Many Gmail users are still not aware about the hazards of using basic passwords and not changing their passwords often. That’s why I told my wife and kids to use several different complex passwords that only them knows – and not to use their birthdays, our dogs’ names, our anniversary, where we were born, places we go often, 12345, “password”, “password123″, etc.

    I don’t only apply this rule to my Gmail. I also use it to all my online accounts – especially to my PayPal, banks, credit cards, company email, Facebook, and even my Netflix.

  3. Casper Manes · December 2, 2011

    Thanks for dropping by Craig…if I had to guess, I would guess a year. I don’t have any real reason for that other than my gut, but that’s what it says.
    Cheers,
    Cas

  4. Trive Owens · December 2, 2011

    Nice password quote. I believed it’s from Clifford Stoll – one of America’s most popular astronomers. He is also a celebrated technology author of three amazing books:

    – Second thoughts on the information highway
    – Reflections of a Computer Contrarian
    – The Cuckoo’s Egg

    Clifford Stoll has a mind of a hacker. It’s no wonder he’s considered an expert on this field especially regarding computers, passwords, and the Internet. Remember, Markus Hess? He is the most famous hacker back in the 80s. Stoll helped captured Hess in 1986.

  5. Carlos Gabriel · December 5, 2011

    Well, this is the least Google can do to their Gmail users. The Gmail platform serves as Google’s primary window to their other programs and apps such as the Google Docs, YouTube, Google Maps, and just recently Google Plus.

    If anything happens and a user’s Gmail account is compromised (hacked, attacked, and / or injected), all of that user’s other Google-based accounts will also be in danger including all his or her search engine histories and caches. Giving this password advisory is a win-win solution both for Google and its users.

  6. Casper Manes · December 5, 2011

    Trive,
    Indeed it was, thanks for that. Clifford Stoll FTW.

    Carlos,
    Spot on, it is the gateway to so many other things on Google.

    Thank you both for commenting,
    Cas

  7. J Carls · December 7, 2011

    Think of the Gmail users as investments. Google has to protect its investments for the future monetary gains of the company. Users are like money, they can make websites prosper. Take for instance Facebook. At first, the social media platform only has several hundred users. But as time goes by, it multiplied to thousands, then millions (at present it’s estimated that FB has more than 800 million users worldwide).

    Users from Myspace and Friendster migrated to Facebook. As a result, the said tech enterprise became one of the richest companies on the World Wide Web – mainly because of its users.

Leave A Reply