Google’s Mark Risher tells us why the conventional wisdom about choosing your password is wrong and about the expanding number of threats faced by platforms like Gmail as they work to protect users from phishing attacks and spammers. Conventional wisdom about choosing longer, more complicated passwords is getting less effective over time. Meanwhile, the people behind phishing attacks are getting much better.
Risher is a director of product management at Google, where he oversees Google’s identity, account security, and counter-abuse teams. A big part of Risher’s job over the years has been to fight unwanted email, and he says the methods used by spammers have evolved significantly over that time. Some attackers are getting much better results than they used to just by doing some research on their clients, he said.
“What work is taking your name out of a hat wherever I find it, going to your LinkedIn page, and finding a few facts about you,” Risher said. “Maybe doing a little search and getting some other information, and then saying ‘Dear Casey, you may remember that we met a few weeks ago at Vox Media, and at the time you had promised to tell me your Social Security number and then it just slipped your mind. Can you please remind me?’”
It sounds ridiculous, but it works, Risher said. “I take it to the absurd, but you can imagine how you could do something that’s much closer, like ‘Hey, I’m going to meet up with you. Remind me your mother’s maiden name?’ … These social engineering attacks that they spend a few more minutes personalizing can then yield much much more outsized rewards.
Risher tells us a better approach to picking passwords on Converge, an interview game show where the biggest personalities in tech tell us about their wildest dreams. It’s a show that’s easy to win, but not impossible to lose — because, in the final round, I finally get a chance to play and score a few points of my own.
Read the entire article and LISTEN TO THE FULL INTERVIEW!
Google’s Mark Risher tells us why everything we know about passwords is wrong