Google security: You (still) are the weakest link
At its I/O conference, two of Google's top-level security experts say the company is intensely focused on the issue, but passwords remain a thorny problem.
SAN FRANCISCO--Two of Google's top Chrome and Google Apps security experts confessed that the problem of passwords will continue to plague the people who use them and computer security for the foreseeable future.
On the second day of the company's I/O conference here on Thursday, Eran Feigenbaum, the director of security for Google Apps, suggested that people follow three recommendations to stay safer online.
"You should turn on two-step verification, make sure [the browser] is up to date, and make sure your password recovery options are set," the six-year veteran of Google said.
His colleague, Parisa Tabriz, the head of Chrome security whose official title is "Security Princess," offered two more. "In Chrome you can set up multiple profiles, and you can use Incognito," she said, to avoid the technique of switching browsers while keeping profile information separate.
Not surprisingly, they said fixing passwords -- so that your account won't be compromised when passwords are stolen from database breaches or phishing attacks -- remains a difficult problem to solve.
"We are working on other approaches," said Feigenbaum. "But the challenge is something that users have with them, because two-factor authentication has a physical component."
This could be a phone, but it could also involve biometrics taken from a Webcam or microphone.
Even two-factor authentication is not trouble-free, Tabriz said. "You could clone a thumbprint with a gummy bear," she said, explaining one proof-of-concept way to break a thumbprint reader.
Sundar Pichai, the head of Chrome and Android, spoke of security as being a "core value" at Google during his keynote presentation at I/O on Wednesday. While it's true that Google has devoted much of its time and energy to making Chrome and Google Apps safer, it has not been able to create a system more effective than the password yet.
Tabriz noted that "there's something to be said for the fact that passwords work." It's not as if your passwords don't protect you. They're just not the pinnacle of computer security.
Another solution being worked on involves one-time passwords, said Feigenbaum. There's also third-party password managers, but they bring their own risks. "The difficulty with password managers is that they're storing passwords locally," he said, although many password managers, including popular ones such as LastPass, store your passwords in the cloud.
He joked, "We're coming out with a system based on your DNA."
One of the major problems with passwords is that they're forced to be complex in order to be harder for machine logic to guess, but that makes them harder to remember, too. "It's really unfortunate that there's a lot of conflicting advice and a lot of wrong advice," Tabriz said. Another part of the problem: as we improve machine logic, computers get better at guessing our passwords.
"Unfortunately," she said, "the human is often the weakest link in security."