Updated Nov. 9 with an additional warning on Google password usage.
Your Google accounts are at risk — that much should be obvious. The Company has repeatedly warned Gmail and its other users to update the security on their accounts. To add passkeys. But for some reason, these warnings are not landing as they should.
“Scams continue to be a persistent global challenge,” Google says again this week, and it’s fueled by “transnational crime groups who seek to exploit vulnerable people online for financial gain.” This includes the Chinese organized criminal gangs responsible for the plague of malicious text messages targeting Android and iPhone users.
The threats are also getting worse. “57% of adults experienced a scam in the past year, with 23% reporting money stolen,” and now “scammers are increasingly misusing AI tools to efficiently scale and enhance their schemes.”
Almost all these attacks focus on accessing your accounts — Google, Microsoft, Apple, Facebook, Amazon or any one of hundreds of banks and financial institutions. Whether it’s a phishing email, a malicious text, a phantom hacker call or a rogue ClickFix pop-up. The target is almost always the same. “Enter your username and password here.”
Google first issued its “so long passwords” warning in 2023. It’s advice is clear. Stop using passwords and switch to passkeys. And do that now. As Fast Company puts it, “Google is telling users to change their passwords, but not because of a breach that exposed them. In fact, Google’s real advice is to stop using your password altogether.”
“When you use a passkey to sign in to your Google Account, it proves to Google that you have access to your device and are able to unlock it,” the company says. “Together, this means that passkeys protect you against phishing and any accidental mishandling that passwords are prone to, such as being reused or exposed in a data breach.”
Even when Google is forced to correct misreporting after claims that millions of Gmail password suddenly leaked, it still confirms that “adopting passkeys is a stronger and safer alternative to passwords.” Again this week, the latest reported collation of breached username and password data included 394 million unique Gmail addresses.
But still, whenever articles push users to stop using passwords, skeptics respond as if this is controversial. It is not. And Google is not alone. Microsoft actually warns users to delete passwords altogether, removing them completely from accounts.
Google doesn’t go that far, but does say “we allow you to skip not only the password but also 2SV when you use a passkey. In fact, passkeys are strong enough that they can stand in for security keys for users enrolled in our Advanced Protection Program.”
Google also says that adding passkeys means they will “pay closer attention to the sign-ins that fall back to passwords,” In other words, they’ll tighten your account security. Google is leading the charge on passkey adoption, with a 352% increase in the past year. Users are catching on, but most still need to make the change. Do that today.
The need to secure your Google/Gmail account is made even more critical given the increasing use of Google credentials to secure other sites and services.
Per Dashlane, Google already “commands half of all passkey authentication activity measured in our dataset,” and “its sheer volume dwarfs that of other platforms, and it functions as an SSO (single sign-on) provider that users authenticate through to access numerous other domains, making direct comparisons misleading.”
NordPass tells me that in its research into the security and password protection on “the 1,000 most visited websites in the world,” it found that “39% (of the websites) offer single sign-on (SSO), and Google dominates — powering 9 out of 10 SSO options.”
That means that if your Google username and password is compromised and hasn’t been supplanted by stronger security, it’s more than your Google account at risk. NordPass says “up to 86% of all basic web application attacks use stolen credentials for initial access,” and “the average user has around 170 passwords.”
Just like Google, NordPass says “passkeys are the answer. Backed by the FIDO Alliance, passkeys are the modern solution to the password problem.” It warns that “bad password habits don’t just recur out of user convenience — in fact, the websites themselves push users to take the easier way out by not enforcing strict password requirements and supporting weak credential use.”
