Google’s Gmail Warning—Change Every Password That’s On This List

Google has confirmed that attacks on Gmail users to steal security credentials are now surging and are behind “37% of successful intrusions.” Put more simply, password theft is allowing hackers to gain access to accounts. This includes infostealer malware, “which is increasingly being used to enable intrusions using stolen credentials.”

Google warns users to upgrade the security on their accounts. This means always using a passkey or “Sign in with Google” instead of a password. It means never using a linked or popup sign-in window. But it also means using only strong, unique passwords and enabling a non-SMS form of two-factor authentication (2FA).

ForbesDo Not Install Any App On Your Phone If You See This WarningBy Zak Doffman

Google’s research finds most users are yet to add passkeys, even though “unlike passwords, which can be guessed, stolen, or forgotten, passkeys are unique digital credentials tied to a user’s device.” More worryingly, most users “still rely on older sign-in methods like passwords.” So, it’s critical those passwords are not a gift to hackers.

Hive Systems warns “password reuse, short character lengths, and weak complexity remain some of the easiest ways attackers gain access to systems.” The team has listed “time-to-crack estimates for passwords of various lengths and character sets.”

This guide shows why a combination of upper and lowercase letters, numbers and symbols is best. But only if it’s eight characters or more. It also takes a standalone “brute force” approach. But in the real world. an attacker does not start from scratch. That means the times to crack are much shorter — sometimes no time at all.

It doesn’t matter how long or complex your password. If it’s reused and has breached or been stolen, then all accounts with that same password will be at risk.

Take a look at NordPass’s top-200 most common passwords, a horror list now in its sixth year of shaming us all into better password hygiene. To assemble the data, “we analyzed passwords stolen by malware or exposed in data leaks,” the firm says.

Forbes‘Real World Virus’—If You Get This Message, Your PC Is Under AttackBy Zak Doffman

If your password makes the list or is anything like one of those on the list, then change it now — right now. The combination of the NordPass and Hive Systems reports should explain exactly how to craft a good password. Better still, use a standalone (not browser-based) password manager to create strong, unique passwords for all accounts.

None of this changes the most critical advice though. Add a passkey to your Google account and always use this to sign-in. Replace SMS 2FA with an authenticator app. And never log into any Google account through a linked or popup sign-in prompt.