Google's Mark Risher: We've never abused your 2FA data

There's arguably no company that knows more about e-mail security than Google. Its online account, primarily tied to its e-mail service, Gmail, is used by more than a billion people to log into a myriad of other online services.

The company recently launched a physical authentication device and overhauled its security and privacy center, which was a good opportunity to talk with Google's Privacy & Security chief Mark Risher about the new products as well as the security challenges internet users face today.

The olden days when merely having a good, 8-character password and not opening unknown e-mail attachments was enough to keep you secure online are gone. One trend Risher sees is targeted phishing attacks that are far more dangerous than your typical "Nigerian prince scam, as they're tailored to a specific target and are much more likely to fool an unwary user.

You may be a target of whaling, even if you're not a whale

These "spear phishing or whaling" attacks, as Risher called them, won't be generic and dumb. For example, you might get an e-mail from a person that works for your organization, addressing your directly. "Hey Stan, can you just fill out this form for me," it'll say, and when you open the attachment, boom, you're compromised.

While this sounds like something that might happen to Tom Cruise's character in a spy movie, Risher says these types of attacks are fairy broad based, as they can be used to expand to someone else, higher up in the organization.

To combat these, Google recently started offering a new way to protect yourself from attacks.

"Google created the Advanced Protection Program, which is aimed for people who think they may be at risk. With one step they can turn protection to the highest level," he told me over the phone.

Don't re-use passwords. Ever.

The times have changed, but your passwords are still important. The problem is, most of what you know about passwords is probably wrong. Having a 17-character soup that looks something like "a4535nas!054jfsf!" (not my actual password) won't help you much if you use it on more than one site. If one of those sites gets compromised, Risher says, you're toast.

"Far more important than telling people how many characters they should use in their password is telling them to use a password manager," he said.

In September, Google improved the password manager inside its web browser, Chrome. It now prompts users to choose a different password for different sites.

Risher has words of advice for paranoid folks like me, who tend to change their passwords after every public wi-fi session.

"I wouldn't recommend for people to change their passwords often. They usually end up making small, incremental changes to their passwords, like adding a number at the end, which is trivial for an expert to defeat."

Is your 2FA data safe?

One security precaution measure that everyone advises these days, Risher included, is two-factor authentication. It makes it a lot harder for hackers to get to your data, even if your password is compromised.

But 2FA has gotten a bit of a bad rep recently, after it was discovered that Facebook had used users' phone numbers, provided for 2FA, for advertising purposes.

"Google has never done anything like that," Risher told me.

"Our privacy focus has always been rooted in being extremely, excruciatingly transparent about what information we collect, why we're collecting it, how it's going to be used, and providing easily accessible control so that anyone who wants to change how their information is being used can do it with a couple of clicks."

Physical authentication devices work very well

Google has recently launched a physical two-factor authentication device called Titan. It provides additional security, but the necessity of lugging another physical device with you and having to rely on it to log into services you daily use can sound like a chore to a lot of people, so I asked Risher whether the Titan is something regular users should consider.

"It is truly a game changer. Since Google has been requiring security key use for our employees, we've had zero cases of password phishing," he said.

"The great thing about this physical device is that it's truly resilient to common types of phishing attacks. Humans can easily be tricked with a site that looks similar to another site. Computers are really good at knowing when something's not identical, and the Titan makes sure you're really interacting with the site you want to be interacting with."

Security overkill is counter-productive

We can probably all agree that more security is better for everyone, but sometimes certain sites and services go into security overkill, requiring users to jump through many hoops before they can do something as simple as logging into a social media account. Risher told me that Google has deliberately avoided this approach by making everything simple, except in very special, exceptional cases in which it's important for you to pay attention to what you're doing.

"It's very possible to do too much, which leads into unintended consequences. If you have three locks on your door, it might appear safe, but after a few weeks, you'll just stop locking the other two locks," he said. "Google makes it dead-simple most of the time, but tries to make you focus when you change important security information."

Don't brag about how many bitcoins you have

Risher also shared his opinion on security in the age of cryptocurrency, when every user is basically her own bank.

"One challenge of cryptocurrency is that it's risen in value so rapidly, that there's a lot of players with substantial means who don't understand all the technical aspects of it," he said.

"At the same time, some of these people are very publicly bragging about how much crypto money they have (...) which turns them into a target."

For protection, Risher advises considering Google's Advanced Protection Program, as well as heeding common sense advice which predates cryptocurrencies and the internet.

"If something sounds too good to be true, it probably is," he said.