Google warns 2.5 billion users to ditch their passwords immediately.
While passwords hold the gateway to our accounts and private data, there's growing evidence to suggest they might just not cut it anymore.
Last week, you might have heard about a notorious hacker group that is actively targeting Google account holders after gaining access to a massive database through a third-party breach.
The attacks originated from a security incident involving Salesforce's cloud platform, which exposed users of Google services to follow-up intrusions.
Advert
With approximately 2.5 billion people using Gmail and Google Cloud services, the tech giant is urging users to remain vigilant for suspicious activity and enforce stronger security measures.
“If you do not have a good password on your email, the rest of your life is pretty much wide open, because every single service out there does reset password by sending you an email,” said Graham-Cummings. “So if I can compromise your email, I can compromise pretty much everything else you have.”
In a follow-up to that, Google is advising Gmail users to stop using their passwords altogether. Here's why.
During the breach, the attackers obtained business-related Gmail data including contact lists, company associations, and email metadata.
Google has confirmed the direct connection between the Salesforce breach and a sharp increase in targeted phishing campaigns. Attackers are now impersonating Google employees, IT departments, and trusted vendors with unprecedented accuracy, using the stolen business data to make their scams believable.
Rather than just telling people to create stronger passwords, Google is pushing a different approach. Passkeys eliminate passwords entirely by using your device's biometric authentication.
Jeff Shiner, CEO of 1Password, explains how passkeys work from a user perspective.
“A pass key, from an end user point of view, looks like the biometrics on your device,” says Shiner. “The cool thing about a passkey is that to the end user, you never have a password for that service. You just use your biometrics, and then a passkey is created."
He added: "But, from a security point of view, it’s actually stronger than a password—even a strong password—because it can’t be phished.”
While Google still recommends changing your password regularly in case of compromise, the company's bigger message is that it's time to move beyond passwords altogether.
On a similar note, Google is also pushing users to extra layers of security. When logging into your account, app-based two-factor authentication (2FA) is advised over SMS codes, as there's less chance of them being intercepted or spoofed.