Google’s Gmail Warning—Change Every Password That’s On This List
Check your password now.
NurPhoto via Getty Images
Republished on August 9 with further advice on keeping your Google account secure.
Google has confirmed that attacks on Gmail users to steal security credentials are now surging and are behind “37% of successful intrusions.” Put more simply, password theft is allowing hackers to gain access to accounts. This includes infostealer malware, “which is increasingly being used to enable intrusions using stolen credentials.”
Google warns users to upgrade the security on their accounts. This means always using a passkey or “Sign in with Google” instead of a password. It means never using a linked or popup sign-in window. But it also means using only strong, unique passwords and enabling a non-SMS form of two-factor authentication (2FA).
Google’s research finds most users are yet to add passkeys, even though “unlike passwords, which can be guessed, stolen, or forgotten, passkeys are unique digital credentials tied to a user’s device.” More worryingly, most users “still rely on older sign-in methods like passwords.” So, it’s critical those passwords are not a gift to hackers.
Hive Systems warns “password reuse, short character lengths, and weak complexity remain some of the easiest ways attackers gain access to systems.” The team has listed “time-to-crack estimates for passwords of various lengths and character sets.”
This guide shows why a combination of upper and lowercase letters, numbers and symbols is best. But only if it’s eight characters or more. It also takes a standalone “brute force” approach. But in the real world. an attacker does not start from scratch. That means the times to crack are much shorter — sometimes no time at all.
Hackable Passwords
Hive Systems
It doesn’t matter how long or complex your password. If it’s reused and has breached or been stolen, then all accounts with that same password will be at risk.
Take a look at NordPass’s top-200 most common passwords, a horror list now in its sixth year of shaming us all into better password hygiene. To assemble the data, “we analyzed passwords stolen by malware or exposed in data leaks,” the firm says.
If your password makes the list or is anything like one of those on the list, then change it now — right now. The combination of the NordPass and Hive Systems reports should explain exactly how to craft a good password. Better still, use a standalone (not browser-based) password manager to create strong, unique passwords for all accounts.
Top 20 “Most Common Passwords”
NordPass
None of this changes the most critical advice though. Add a passkey to your Google account and always use this to sign-in. Replace SMS 2FA with an authenticator app. And never log into any Google account through a linked or popup sign-in prompt.
While Gmail accounts might be one of the most prized targets for hackers targeting Google users, Android Police has just reminded all those users that “your Google Account is the skeleton key to your digital life.” In addition to Gmail, it unlocks “Google Photos, Google Drive, saved passwords, and more.” You need to keep it safe.
The website offers the sound advice to run Google’s in-house account audit. While logged in, open Google’s Security Checkup tool to check who has “copies of that key.”
You should first check the “Manage all devices” setting. “Carefully review this list,” Android Police suggests. “Do you see a computer, tablet, or phone you don’t own or have long since gotten rid of? If so, click it and select Sign out. And ”if you see your phone listed multiple times,” it could just be that your “using different web browsers.”
This checkup is worthwhile for a host of other reasons as well. As Google says, “to protect your Google Account, we strongly recommend following the steps below regularly.” And within that checkup, you could see “a red, yellow, or blue exclamation point icon to recommend immediate action for your Google Account.”