This content is likely not relevant anymore. Try searching or browse recent questions.
whether Google can identify passwords that are too widely shared 0 Recommended Answers 4 Replies 0 Upvotes
An institution has its email hosted by Google (I don't know the domain but I gather managed by Gmail's people). The institution's security is compromised not by Google but by the institution's people almost all failing to change their passwords from the shared default.
A solution would likely require Google (paid for by the institution) to check its servers for password hashes that are identical more often than some threshold for the same institutional customer. I'm writing here in the hope that Google can do that check. I'm not asking Google to do so (I don't represent that institution) but hoping that Google has the capability. I already got in touch with the institution and made suggestions for its security, including that it ask Google for hash counts and ask Google to help the institution force within-institution password changes and also force uniqueness or near-uniqueness through periodic reviews of hashes of all of the institution's users of institutional Gmail to see if too many are identical.
I have a Google login but not Gmail so I may not have access to relevant help pages, especially those for institutional support.
Details
Recommended Answer Recommended Answers (0)
Most Relevant Answer Most Relevant Answers (0)
All Replies (4)
Recommended Answer
Most Relevant Answer
Please use the in-product “Send feedback” link to submit your request/issue directly to Google. You will not receive a response from Google. Rather than Gmail, you should probably do that from one of the account settings pages.
recommended this
marked this as an answer
Recommended based on info available
Our automated system analyzes replies to choose the one that's most likely to answer the question. If it seems to be helpful, we may eventually mark it as a Recommended Answer.
Most relevant based on info available
Our automated system analyzes the replies to choose the one that's most likely to answer the question.
Recommended Answer
Most Relevant Answer
I don't have Gmail (as I said), so I don't have access to anything in the product.
I'm not part of the institution in question and don't represent it, but the security lapse for institutions in this situation is startlingly vast, so Google would probably like to offer the service I described. This forum is where someone, such as you, can note a difficulty with the proposed solution before escalation.
recommended this
marked this as an answer
Recommended based on info available
Our automated system analyzes replies to choose the one that's most likely to answer the question. If it seems to be helpful, we may eventually mark it as a Recommended Answer.
Most relevant based on info available
Our automated system analyzes the replies to choose the one that's most likely to answer the question.
Recommended Answer
Most Relevant Answer
I don't have Gmail (as I said), so I don't have access to anything in the product.
Google does not read these forums, and there is no way to submit feedback to Google from them.
I already got in touch with the institution and made suggestions...
Perhaps suggest that THEY send feedback about the proposed feature. But I think simple education of company users about good account security is a better choice than some new tool that compares encrypted passwords.
recommended this
marked this as an answer
Recommended based on info available
Our automated system analyzes replies to choose the one that's most likely to answer the question. If it seems to be helpful, we may eventually mark it as a Recommended Answer.
Most relevant based on info available
Our automated system analyzes the replies to choose the one that's most likely to answer the question.
Recommended Answer
Most Relevant Answer
I already advised the institution to have everyone change default passwords, and I wasn't the first, but, as of a public news report, almost no one had (as noted above) and already their system was being abused because of that. Whether any high risk has become kinetic, I don't know, but I don't think waiting for a disaster (even current non-Google news aside) is a good plan.
I also already suggested that the institution contract with Google to help the institution force changes to widely-used passwords (as noted above), which is where my idea to count hashes comes in. Does counting them create a problem? I think not, but I wanted to be sure I'm not missing something, so I asked. For example, perhaps Google already offers the service.
Google does read some forum posts, at least in another community forum. I've already experienced that, beneficially.
recommended this
marked this as an answer
Recommended based on info available
Our automated system analyzes replies to choose the one that's most likely to answer the question. If it seems to be helpful, we may eventually mark it as a Recommended Answer.
Most relevant based on info available
Our automated system analyzes the replies to choose the one that's most likely to answer the question.
This question is locked and replying has been disabled.
Link to post
Delete post?
This will remove the reply from the Answers section.
Notifications are off
Your notifications are currently off and you won't receive subscription updates. To turn them on, go to Notifications preferences on your Profile page.
This reply is no longer available.
Badges
Some community members might have badges that indicate their identity or level of participation in a community.
