Cutting back on your long list of passwords

Does anyone actually like passwords? Most people can't stand them because they end up having to keep track of a long (and often memorized) list of usernames and passwords to sign into the websites they visit. Website owners hate them because it's hard to get people to create a new account on their website, and almost half of those account registrations are never completed. Thanks to the utilization of new technology, we're now seeing large-scale success in eliminating the need for passwords while increasing the successful registration rate at websites to over 90%. The most visible examples come from Plaxo, Facebook, Yahoo! and Google using a technique the industry calls hybrid onboarding. In the past, if you're a Gmail user who got an invitation to use Plaxo or Facebook, you were asked to perform the traditional process of creating a new account with yet another password, and then you might also have been asked to provide the password of your email account so Plaxo or Facebook could look up the list of your friends. With hybrid onboarding, if you click on such an invitation in your Gmail, you'll see a page like one of these:


Clicking the large button on the Plaxo page takes you to a page at Google like this:


If you give consent to share a few pieces of information, you are sent back to Plaxo with all key registration steps finished.

The registration process used to involve more than 10 steps, including requiring you to find one of those "email validation" messages in your inbox. If you've followed the steps above, you can now sign into Plaxo more easily — by simply clicking a button.

While Plaxo showed the first successful results of this technique in early 2009, other companies like Facebook are starting to use the same model and to recognize its business value potential. At the same time, the hybrid onboarding model improves authentication security because websites like Plaxo that use this technique never see a password from you at all. Since you don't have to enter your password on additional sites, your password remains closer to you and is less likely to be misused. We'd like to applaud Plaxo and Facebook's work in designing the user experience needed for this technique as well as pushing us to create the optimizations needed to carry out their design. Today we're happy to announce that all of these login flow designs are now available to any website operator. All of these hybrid onboarding techniques are based on industry standards that both Google and Yahoo! support, and that other email providers are beginning to support as well. For more technical details, check out our Google Code Blog post.

Hybrid onboarding is also being used by Enterprise Software-as-a-Service vendors — such as ZoHo — that want to eliminate the need for employees at their customers' businesses to create another password. More details are available on our Enterprise Blog. In addition, after a thorough evaluation of the security and privacy of these technologies, the same techniques are being piloted by President Obama's open identity initiative to enable citizens to sign in more easily to government-operated websites.

There is still a long way to go before you'll be able to trim down your long list of website passwords, but this progress demonstrates the potential for even the largest websites to adopt to adopt the hybrid onboarding model. We hope many other websites will follow.

Posted by Eric Sachs, Product Manager, Google Security

Next steps in cyber security awareness

(Cross-posted from the Public Policy blog)

Last week I joined several industry experts to speak at a cyber security panel on Capitol Hill organized by Congresswoman Yvette Clarke and sponsored by the Committee on Homeland Security. The conversation focused on things everyday Internet users can do to help protect their computers and stay safe online. Given that we just wrapped up our observation of National Cyber Security Awareness Month, I thought I'd share some of the key recommendations from the panel:

What are the most important things we all need to do to protect our computers and mobile devices?
You should have the same expectations when using the Internet as you would when exploring a city: you don't give your credit card to the person selling watches on the street just because you recognize the brand, you don't let your kids wander around by themselves and you don't give personal information unless you know who's getting it. If an offer is "urgent" or seems too good to be true, take a step back and research the offer. Add a password to your mobile phone, and browse cautiously on open WiFi networks as you would when using a computer.

What are the most common misconceptions about cyber security?
Many dangerous websites are not designed to be dangerous. In fact, most of the sites that serve malware (malicious software) are innocent sites that have been compromised in one way or another. Your computer isn't necessarily safe just because you're avoiding sites that contain adult content or pirated software. Use reputable anti-virus and anti-spyware programs, and keep your computer operating system and applications updated with the latest software versions.

How do I know if my computer or network has been compromised?
First, disconnect it from the Internet. Take note of any slowness, and if you're not sure how to proceed, get someone with technical expertise to check your network logs for high traffic appearing during times when you're not using the computer. When in doubt, contact a computer support expert.

As President Obama recently stated, cyber security is a shared responsibility. At Google, we recognize how important awareness and education are because many online security threats can only be avoided if we work together.

We spent the month of October exploring cyber security and talking about how to use Google products in a more secure manner. If you haven't seen them already, take a look at the posts we've released over the last month:

• Kick-off and YouTube Cyber Security Awareness Channel
• Choosing smart passwords
• How the website malware review process works
• Blogging security tips
• New malware snippets feature for webmasters
• Protecting users and ads from malware
• Best practices for verifying and cleaning up a malware-infected site
• Gmail account security tips
• Online commerce security
• Updating your web browser
• Taking charge of document sharing with Google Docs
• Web browser security and Google Chrome security messages

Be sure to share the tips you find most helpful with others, and remember to stay safe online.

Posted by Eric Davis, Head of Anti-Malvertising

Celebrating National Cyber Security Awareness Month 2009

Internet security and online safety are topics that leave many people scratching their heads. While many companies and organizations work to make the Internet a safer place, it can be difficult to know what to do as an Internet user beyond creating numerous passwords for your various online accounts and steering clear of that email from a "long lost relative" who wants you to immediately wire thousands of dollars to him. Here's the good news: even though security can become quite technical and complicated, there are simple steps you can take that can make a big difference in helping to keep your information safe.


This month, Google joins the National Cyber Security Alliance (NCSA), governmental agencies, corporations, schools and non-profit organizations in recognizing National Cyber Security Awareness Month. Throughout October, we'll be raising awareness of important Internet security and safety issues that will teach you how to be an informed web user. Keep an eye on our various product blogs, as we'll be sharing tips that are tailored to users of Google products and services. To kick off the series, visit our newly created Google Cyber Security Awareness Channel on YouTube to watch a variety of online safety videos created by individuals and groups with an interest in cyber security.

The web is a great platform for all kinds of things — finding information, interacting with others and even running your business. Practicing good cyber security habits can help keep it that way. Join us this month by brushing up on your cyber security awareness and sharing the tips you like with others.

Update on 10/22/2009: We're excited to hear that the U.S. House of Representatives today unanimously passed a resolution formally supporting the goals and ideals of National Cyber Security Awareness Month 2009. Rep. Yvette D. Clarke’s resolution signals the government's willingness and commitment to help better protect the nation's online and information security.

Posted by Eric Davis, Head of Anti-Malvertising

How to steer clear of money scams

This post is the latest in an ongoing series on how to stay safe online. - Ed.

As the designated tech support person for my immediate family, I'm used to getting calls about issues like browser crashes and confusing websites. But recently my mom called to ask about something she saw online that said Google would pay her thousands of dollars to work from home with no experience required. She didn't buy it, but she did want to ask — is this for real?

My mom was right to be skeptical. In the current economic downturn, a lot of people are looking for ways to make extra money. Unfortunately, some unsavory characters see this trend as an opportunity to trick unsuspecting people with scams and elaborate get-rich-quick schemes. We're seeing disturbing cases in which websites, emails and advertisements claim that you can make large amounts of money from home with very little effort using Google products and services. They're designed to look like they were written by a regular person, just like you, who stumbled across an amazing opportunity to make their monetary dreams come true. What they don't tell you clearly is that Google is not affiliated with these sites and that they may add extra charges to your credit card or misuse your personal information.

To be clear, we are proud to say that many companies and individuals do legitimately make money placing ads on their websites with Google AdSense or participating in programs like the Google Affiliate Network. Creating a successful website is hard work — successful sites earn their money by writing compelling content, developing useful applications and maintaining vibrant user communities. Any claim that you can skip all of that and make just as much money by posting links, using a secret system, or running a kit to generate websites should be treated with a heavy dose of skepticism.

Spammers attempt to reach users by generating hundreds of webpages and sending out a flood of spam emails, sometimes even buying advertisements on reputable websites. Their sites also target other popular Internet companies. They may include family photos pilfered from another site or a picture of a check they supposedly received. Spammers use a wide range of techniques that try to slip past automatic filters to get to you. At Google, we work hard to protect users from these schemes by using a combination of automated and manual tools that remove them from our search index and ad network. However, scams target many companies and appear in various places around the web, so we all need to work cooperatively. Google collaborates with various government and non-governmental consumer protection agencies, such as the Federal Trade Commission, that are investigating these types of schemes further.

How to identify scams and other schemes

In general, if it looks too good to be true, it probably is. Here are some pointers on what to look out for:

• Before you fill out a form or give someone a credit card, do a web search to see what other people are saying about the company and its practices.

• Be wary of companies that ask for upfront charges for services that Google actually offers for free. Check out our business solutions page before writing a check.

• Always read the fine print. Watch out for get-rich-quick schemes that charge a very low initial fee before sneaking in large reoccurring charges on your credit card or bank account.

• Google never guarantees top placement in search results or AdWords — beware of companies that claim to guarantee rankings, allege a special relationship with Google, or advertise a "priority submit" to Google. There is no priority submit for Google. In fact, the only way to submit a site to Google directly is through our Add URL page or through the Sitemaps program — you can do these tasks yourself at no cost whatsoever.

• Be wary of anything resembling a pyramid scheme, where you make commissions by recruiting more participants.

• Some sales pitches use the word "Google" or other trademarks right in their name with targeted phrases like "cash," "pay day," "money," "secrets," "home business," etc. If you can't find it on our list of Google products or on the business solutions page, don't trust it.

• Look for third party verification. Scammers can easily cut-and-paste images to plaster a site with "as seen on TV," "five-star reviews" and the logos of well-known news channels. Products that have really been recommended by experts and fellow users typically contain links from legitimate news sites and multiple user review sites.

• Reserve the same skepticism for unsolicited email about making money with Google AdWords as you do for "burn fat at night" diet pills or requests to help transfer funds from deposed dictators. In general, be wary of offers from firms that email you out of the blue. Amazingly, we get these spam emails too:

"I visited your website and noticed that you are not listed in most of the major search engines and directories..."

• Google is not running a lottery, and we have not picked your email address to win millions of dollars. Don't give out your bank account details via email in anticipation of a big jackpot.

What you can do

• If you've been ripped off, or suspect others are, report the site and file a complaint with the appropriate agency.

• If you come across many sites with duplicate content or common templates intended to direct users to the same product or scheme, please let us know with a spam report.

• If you've been contacted to place suspicious links on your site for money, let us know with the paid link report form. If you have your own website or are in charge of advertising on a site, think carefully before accepting ads or entering into affiliate programs that will lead your users to schemes like those mentioned above.

• If your site's forums or comment sections have been spammed with fake offers of fabulous financial gain, you may need to take steps to fight comment spam. Spammers will take advantage of any user-generated content sections of your site, and will even generate thousands of fake user profiles to try to slip under the radar.

• If you receive suspicious messages that claim to be from Google, these may be phishing attempts. Please report them to phishing@google.com.

Posted by Jason Morrison, Search Quality Team

What we've learned about spam

Blended threats. Payload viruses. Spam. If you're one of the more than 15 million people whose work email is protected by Postini's email security products, we hope you don't spend a lot of time thinking about these things. And if we're doing our job right, they certainly shouldn't be showing up in your inboxes. But we process more than 3 billion business emails per day for our customers, culling the spam, viruses, and other threats out, so we do think about this stuff. A lot.

On occasion, we like to share some of what we've learned, so that those of you who are interested can see what spammers are up to. If you're one of those people, head over to our Enterprise Blog for an update on spam trends over the past few months.

Posted by Ellen Leanse, Google Enterprise team