Skip to content
Naked Security Naked Security

Google’s stealthy sign-in sentry can pick up pilfered passwords

The search giant's secret sauce can see when somebody's using your stolen password.

Two things happened on Halloween with a bearing on cybersecurity.
The first is that the 15th year of the National Cyber Security Awareness Month (NCSAM) came to an end. You have heard of NCSAM, right?
The second, apparently timed to coincide with 31 October, was that Google is yet again modifying the background security checks it performs during accounts sign-in as well as modifying its recovery process in the event of unauthorised access. There’s also important news if you’re a hold-out against enabling JavaScript.
The main tweak is that Google is upping its detection of people pretending to be you. If you’re unwittingly tricked into handing over your Google username and password in a phishing attack, all isn’t lost. Google thinks it can distinguish a sign-in by the phishing attacker from a sign-in by you.
Wrote Google product manager, Jonathan Skelker in a blog announcement:

When your username and password are entered on Google’s sign-in page, we’ll run a risk assessment and only allow the sign-in if nothing looks suspicious.

The company is deliberately vague about what signals indicate this but it alluded to similar ideas in the reCAPTCHA v3 announcement from earlier this week.

No JavaScript, no Google

However, distinguishing an unauthorised from a legitimate sign-in requires that you haven’t disabled JavaScript, either completely, in your browser’s settings, or selectively, with a plugin like NoScript. Google reckons around 0.1% of its users do this to counter what they believe is the language’s potential for misuse. However:

We’ll now require that JavaScript is enabled on the Google sign-in page, without which we can’t run this assessment.

Failure to do this will result in the user being confronted with the following error message:

The browser you’re using doesn’t support JavaScript, or has JavaScript turned off. To keep your Google account secure, try signing in on a browser that has JavaScript turned on.

In short, if you’re in the 0.1%, JavaScript will have to be at least temporarily enabled to access Google.

Account recovery

If Google thinks it has detected malicious account access, users are now taken through additional checks looking for unauthorised financial activity, access to files on Google Drive, whether access has affected third-party accounts accessed via Google, and double-checking recovery information such as phone numbers for any changes.
The options and process for this is laid out on Google’s secure a hacked or compromised account page.
It’s all perfectly sensible stuff but a quick glance at that page shows how involved Google account security has become – the main advice section now runs to a total of nearly 1,100 words, referencing settings and concepts not all users will be familiar with.
As Google’s Skelker admits:

Online security can sometimes feel like walking through a haunted house – scary, and you aren’t quite sure what may pop up.

His analogy, aimed at the threats, increasingly applies to protections too.
As their number expands to serve a worthy cause, it’s a theme worth thinking about come next year’s National Cyber Security Awareness Month.

1 Comment

Naturally only time will tell if this proves to be
(a) a huge pain in the ass, and/or
(b) a win for security
…but I like the notion–seems to come from a good place.
If only I could say that about most of the Google articles we’ve been reading lately…


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!