Go to ...

RSS Feed

June 1, 2020

Google’s Password Checkup Surprisingly Robust


As somebody who’s been working on and writing about computer and information security since the 1990s, you’d think I’d have my security act completely together. But as we all know, it’s a lot harder to “walk the walk” than it is to “talk the talk.” Google rubbed my face in this all-too-common failing yesterday when I somehow found myself looking at the results of its built-in Password Checkup utility. I’m still not sure how or why it launched (or if I launched it myself by accident somehow). So far, the only way I’ve been able to force-launch it is to enter the URL for Password Checkup in its own tab or window: https://passwords.google.com/checkup/start?ep=1. I can happily leave that mystery alone because I want to discuss what the tool found when it ran its check and how I dealt with (most of) its findings. The intro graphic for this story shows what you see when you enter the preceding URL.

Working with Google Password Checkup

Once you click the “Check Passwords” button, it’s time to provide the password for the Google account to which your password manager’s storage is tied. This produces 3 categories of information:

+ Compromised passwords: A number of passwords is associated with this category which represents what Google describes as “passwords which were exposed in a third-party data breach.” Google recommends that you “Change these passwords immediately to keep your accounts safe.” I started out with 40-odd items in this category, and whittled it down to one (it requires clicking a link in a password reset email, and I’ve not yet figured out how to make that email show up in any of my many inboxes. I’m still working on it.)
+ Reused passwords: Like many other users, I’m somewhat prone to stick with a good, strong complex password once I’ve genned it up and memorized it. For me, this means there are a few passwords that I’ve reused on anywhere from a pair to as many as three sites. Fixing this proved trickier than I thought, again because some involved password reset emails that remained elusive. Other sites don’t  present obvious or easy-to-find password reset mechanisms. I did manage to bring the number of offending items down from the 80s to a dozen, though. I’ll have to spend more time cleaning this up soon, though. As Google observes “To best protect yourself, use a unique password on each site or app. If someone gets your reused password, they can use it to sign into your other accounts, as well.”
+ Weak passwords: These are passwords that are easy for people to guess, or susceptible to a brute force attack (computer-based guessing). In my case, a lot of old accounts came up, most of which I ended up deleting because I don’t use them anymore. I whittled this number down from 20-something to a handful where I’m stymied because of password reset issues. Here again, I’m working on it. Sigh.

This is no trivial exercise. Working through this process took me two-plus hours of intense, focused effort. In the next section I’ll explain what I had to do to fix these passwords. By the time I was done, I was ready for “something completely different,” to use Monty Python’s well-worn phrase. (Hint: heavy drinking is at least one option I considered after this slog. You can come up with other alternatives as the proverbial “exercise left to the reader.”)

What It Takes (For Me) to Reset Passwords

The easy part was replacing old or re-used passwords with new ones. I used the Norton Password Generator to randomly generate 20-character strings that included letters, upper-lower case, plus numbers and punctuation chars. Here’s a sample of what that looks like (each time you reload this page it gens up a new, random password guaranteed to be unique).

Given a 94-character set (lower case alpha, upper case alpha, numbers, all other character keys on US-en keyboard, YMMV for other keyboards) the odds of guessing a 20-character random string are vanishingly small.*
[Click image for full size view.]

The real work in changing passwords comes from what you must to do keep with such changes:

+1: Generate a new, strong password for each questionable account (all three categories above).
+2: Visit the website or app, find the password reset function, make the password change.
+3: Update the password stored in all current password managers. For me this means: Norton Password Manager, Google Chrome, Firefox, and Edge. I try to store ALL passwords in Norton, but I do store some in those browsers, so it’s necessary to change all of them, in all places.

I was surprised to see how many website designers make it hard to find password management on their sites. I was equally (and unpleasantly surprised) to encounter a handful of sites that claimed to send password reset emails of which no evidence ever hit my inbox. I’m really looking forward to interacting with their tech support staffs by phone, after no doubt substantial holds to get to them, to figure out how to fix this — NOT!!!

Part of Good Security Hygiene

Like regular dental checkups (and occasional repairs or reconstructions occasioned thereby) are vital to oral health, regular password reviews and resets are a necessary part of a good, safe program for computer security. I’m glad that Google offers this checkup as part of its overall suite of browser security tools. I’m glad I took the time to at least partially clean up my act, and plan to finish that cleanup soon. It’s something we all need to do from time to time, even though it takes real time and effort to work through the process. I’m still looking for a security tool to automate this process, but haven’t yet found one. If you know of something that can automate steps 1-3 above, do please let me know. Cheers!

*About Guessing Passwords

According to the article “How difficult is it to guess your password,” the formula is (number of possible characters in the set used to generate the password) raised to the power of the number of characters in the password. Repetition lowers that value somewhat, but that means for the item shown in the preceding screencap, those odds are no greater than 94 raised to the 20th power (2.9 * 10 39 in decimal terms). 290 undecillion, for those who like lots of zeros or big strings, is

290,000,000,000,000,000,000,000,000,000,000,000,000

However you look at it, that’s a big number, well outside the worthwhile zone for tackling via brute force — at least until 20 qubit quantum computers become available. Then, all bets are quite literally off.

Author: Ed Tittel

Ed Tittel is a 30-plus-year computer industry veteran. He’s a Princeton and multiple University of Texas graduate who’s worked in IT since 1981 when he started his first programming job. Over the past three decades he’s also worked as a manager, technical evangelist, consultant, trainer, and an expert witness. See his professional bio for all the details.

Leave a Reply

More Stories From 19H2