Either you’re terrible at passwords, or the two people on either side of you are.
That’s one of a few unsettling takeaways from a new security survey Google has commissioned in advance of a major expansion of its efforts to prod people into not repeating the same old password mistakes.
The Harris Poll survey—which quizzed a representative sample of 3,419 U.S. adults from August 16 to August 29—also found that 66% of Americans who responded said they used the same password for more than one account. Twenty-four percent of respondents had leaned on such easily guessed passwords as as “abc123,” 123456,” “welcome,” and that perennial favorite, “password.” And 59% had incorporated their own name or birthday, or those of a loved one or a pet.
But while reusing passwords can ease the cognitive load of a life filled with separate logins—and alluding to loved ones can lend some humanity to the process—those and other shortcuts eat away at your long-term security.
To encourage better password habits, Google is going to move past its previous nagging (“Please. Stop. Reusing. Passwords. Across. Services,” security product manager Stephan Somogyi intoned in 2016 at its Google I/O conference) and get in its customers’ faces.
Next week, Google will incorporate Password Checkup, a feature it launched as an optional Chrome extension in February, into the password manager built into Chrome for Android, iOS, MacOS, and Windows for use with a Google account. This update will also add the ability to scan for reused and weak passwords, not just those logins already compromised by data breaches.
In essence, Google is attacking human frailty with code, because expecting the humans to reprogram themselves won’t work.
“Password reuse is by far the larger problem than weak passwords,” said Mark Risher, a senior director of product management for identity and security at Google. He warned of a common response among people to being hectored about their use of weak passwords: “They come up with one that they’re particularly proud of, and then they shoehorn that into every site they use.”
If one site is compromised and leaks your reused password, an attacker can use that password to break into other accounts where you used it—”credential stuffing,” in infosec jargon.
The Harris survey testifies to the costs of these mistakes: In it, 40% of Americans said their data had been compromised online, 47% of them said they’d had lost money, and 12% had seen more than $500 vanish.
Third-party security tools already offer password-grading capabilities like this. The Watchtower feature of the 1Password password manager, for example, can check saved passwords for exposure, reuse, or guessability.
That tool can also advise you to enable two-step verification on certain accounts, something Google won’t try to match in these upcoming updates due to the lack of an agreed-upon format in which sites can signal their support for this extra authentication.
Firefox users, meanwhile, can take advantage of Mozilla’s free Firefox Monitor data-breach warning service. And anybody can visit Have I Been Pwned, the data-breach database run by Australian developer Troy Hunt, to see if their e-mail or password has been compromised already. But by leveraging Chrome and Android, the world’s most popular browser and mobile operating system, Google will put these password alerts in front of exponentially more people and offer them for free.
Of course, some security-conscious users may not be thrilled with the idea of entrusting Google with their passwords at all. A blog post from February explains how the company hashes and encrypts passwords to allow them to be checked anonymously and safely—with the final go/no-go verdict processed locally on your device.
For users without the time to read through documentation like that, Google’s message ultimately boils down to: Trust us to manage your passwords in one place, because the alternatives are riskier.
“It’s security pragmatism,” Risher said. “That one basket, maybe counterintuitively, is much better defended than any of the practical alternatives that people would use.”