Google Warns Against Weak Passwords

A Google engineer's blog post offers tips on protecting personal online records and information with strong passwords.

Thomas Claburn, Editor at Large, Enterprise Mobility

June 5, 2008

2 Min Read

Google would like to take this moment to remind you to choose a strong password.

Too many passwords are weak or poorly guarded. People choose obvious passwords, like "password," or share them with friends or display them on Post-it notes that hang from their computer monitors.

Surveys detailing such folly can be found at, a site maintained by IT security consultant Bruce K. Marshall. They present findings like 70% of people do not have unique passwords for each Web site and nearly half of all people write down their passwords. Read the papers and weep.

Password security is particularly important for Google because Google Account passwords unlock the keys to an individual's Google kingdom from anywhere in the world. (Google does not currently offer a way to limit Google Account access to certain IP addresses or ranges.) There is no firewall to bypass or office to break into when compromising a Google Account. The right password is all that's needed.

Google engineer HongHai Shen wrote a blog post about password security on Wednesday, acknowledging that fanatical devotion to strong passwords -- generating a random eight character string every two or three months -- probably isn't necessary for everyone. But he still believes passwords should be chosen with care. "Whether it's for your Google account, your banking center, or your favorite store, choosing a good password and keeping it safe can go a long way toward protecting your information online," he wrote in his blog post.

HongHai's advice, though timeworn, bears repeating because so few take such recommendations to heart:

Avoid common elements when choosing your password. That means no words you'd find in a dictionary, which might be vulnerable to "dictionary attacks." It also means that clever concatenated phrases like "letmein" or "opensesame" probably aren't all that clever. Figure too on the fact that patterns on keyboards, like "1234" or "asdf" are available on keyboards all over.

Make your password as unique as possible. This ought to go without saying, but, there, it's been said. Add numbers and non-alphanumeric characters to your password. Mix uppercase and lowercase letters.

Create different passwords for different sites. The benefit of doing so is obvious: If someone does steal your password, he or she doesn't have access to every Internet service you use. Particularly for financial and health sites, you should have unique passwords.

Don't share your passwords with anyone. And don't send them in an e-mail if you can help it.

Be careful how you share your information online. Social networking sites in particular have a poor record of keeping user information private and the gadgets that are popular on many of these sites are not developed with security in mind. If there's a way to find out how these sites and applications share data, it can be worth doing so.

Google provides additional password guidance in its Gmail Help Center documents.

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights