Google password tips not strong enough
New advice from Google is useful if you're new to passwords, but lacks the spine to make much difference.
Google admonished its users to be more careful with passwords in a blog post on Thursday, but two security experts say that tech giant should spend more time pressuring developers and companies to do more to help their customers.
Google's tips encompass password basics: use a different password for each important service; make your password hard to guess; keep your password somewhere safe; and set a recovery option.
"For the general consumer, I think it's a fantastic start," said Alex Salazar, CEO of Stormpath, an authentication service for developers. But, he said, "everything they said here isn't news to people who understand security."
Mary Landesman, a Cisco senior security researcher with expertise in passwords, agreed. "I applaud them for trying to spread awareness. I think it was a little simplistic," she added. "One of the biggest issues that users face isn't necessarily how strong their password is, but the number of sites that are getting compromised."
On the end user side, Landesman said that Google could've advised people to choose passwords with spaces whenever possible, as explained in a famous XKCD webcomic. The problem there, she and Salazar agreed, is that not enough sites let you do that.
"Here at Cisco we came across a group of passwords in the recent WordPress brute force attempts, and a large number of them you could call reasonable and very strong," she said. "But if you're re-using that password, it doesn't matter how strong it is."
Salazar explained the problem further by explaining that when you use the same password on a well-known, highly-secure site as a smaller site with weaker security, all it takes to get your password to password to the more important site is to hack the smaller one.
"I think that consumers should be more aware about the applications they're putting their data into," he said. "This is the strongest reason why you should be using different passwords for different systems."
But they both had tough words for Google, too. In addition to educating individuals about how to choose better passwords and how to better protect them, Landesman said that Google ought to pressure developers and companies to improve their own security practices.
"I think I would've liked to have seen a call for action to the industry to do more to make it possible for users to be safe," she said.
Salazar outlined three steps that Google didn't take that it could still choose to do. First, he said, Google could pressure companies to implement systems that force people to choose passwords that are easy to remember but hard to break.
"The companies and the websites that are specifying the passwords have to enable users to do the right thing," said Landesman. "You want your password to be 12 to 14 characters, but not all sites allow that."
From the company perspective, the problem there is the engineering cost: getting existing companies to change their source code, run quality assurance tests, and deploy the code.
The second suggestion Salazar had was that Google could be a much stronger advocate for two-factor authentication, which it offers as an option for its Google accounts. "I think it would've been very valuable for them to promote their 2FA on this post," he said. "You're not seeing as wide adoption for it as there could be."
A third action that Google could take would be to publish guidelines for developers, Salazar said. Google should be "talking about why it's important to not put your own customers at risk," he said.
"We hear a lot of users are stupid and it's their fault, but users aren't stupid and it's not their fault," Landesman said. "[Password security] is tilted against the user."