How I (Foolishly) Gave Up My Google Account Password

And how to be more careful about it in the future

Vlad Sabev
6 min readApr 6, 2018

Today, I received a very convincing phishing attack on my personal email address. For those not familiar with the term, here’s a definition from Wikipedia:

Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.

🎣 The Hook

Here’s the content of the email:

And for accessibility:

1 security issue found on your account

We’ve upgraded the Security Checkup to give you specific, personalized recommendations to strengthen the security of your Google Account.
Take the 2-minute checkup today to see the actions you should take to make your account more secure.

CHECK YOUR STATUS

After opening the link, I got to the following page:

The site imitated Google’s very well, and I half expected an email from Google anyway, as I’d been fiddling with my security settings recently.

💣 The Kill

I entered my username, then against all reason proceeded to type my password. Halfway through, I had a gut feeling, so I stopped and checked the website’s domain and certificate:

The domain login.securityportal.info should’ve been a dead giveaway, as it wasn’t google.com, but I carelessly ignored that — I was kind of distracted with something else, so I continued typing my password, almost automatically.

When I tried to login nothing seemed to happen. At that moment I didn’t think much of it and decided to resolve the security issue later.

5 minutes after entering my password though, I received an alert that it had been used to sign in from an unknown device and location:

At that point I knew I’d been duped.

✅ Safeguarding

In the past, there had been several attempts to steal my Google password, but there was always something that stood out and made me double and triple check, and I eventually figured out it was a scam.

This time though…I slipped up.

After realizing my password had been compromised, I immediately changed it and reported the email as phishing. Here’s more info from Google on how do to that: https://support.google.com/mail/answer/8253

There are a few things I should’ve done before I entered my Google password.

Check the sender’s address first

If I had seen that the email was sent from support@securityportal.freshdesk.com instead of a google.com domain, I probably would have immediately assumed there was something wrong.

However, since I saw the familiar Google brand colors and design first, I kept thinking it was Google all along, despite the red flags I saw (and ignored).

Only enter the Google password on google.com domains

Assuming SSL means the website is safe to use was a mistake that is obvious in retrospect.

A valid SSL certificate means the connection between you and the website is secure, so the data transmitted can’t be hijacked by a middleman. It doesn’t mean the website itself is legitimate!

This stands true for other services too — if you receive an email claiming to be from Dropbox, but you click on a link in the email and get to a domain any other than dropbox.com, then that’s almost certainly a phishing attack. We should at the very least exercise more caution if that happens.

Take 30 seconds to think before entering the password

Typing my password is muscle memory — I’ve done it so many times, it’s as if my fingers move on their own. And if I’m tired and distracted, as I happened to be today, it’s easier to type my password than think about the consequences.

Use 2-Factor Authentication (2FA)

As John Mimer pointed out in his comment, 2-factor authentication, also known as 2-step verification, can greatly limit security risks. I had disabled it a few months back, as there was an issue with my Android phone and it could only send me SMS, which I found too noisy at the time.

For more details on what 2FA is and how to enable it for your account, see this page by Google: https://www.google.com/landing/2step

💡 Good Practices For a Strong Password

Use a specific password only on one website

Even though the attackers got my account password, they couldn’t log in with it, as Google prevented them from doing that from an unknown device and location.

Fortunately, I don’t use the same password anywhere else on the Internet, which means no one can use it to get into my private documents or bank account, for example.

Don’t use an easily identifiable pattern

A few years ago I would use the same password everywhere, prefixed with the name of the website. For example, if my main password was super-secret, my Dropbox password would be dropbox-super-secret, my banking password — bank-super-secret, and so on.

💀 This is a bad idea! 💀

Reusing the same pattern means once one password has been compromised attackers can potentially identify the pattern and log into other accounts that use it!

So if Dropbox had a data breach (which they did, in 2012), you could have easily replaced the dropbox- prefix with bank- and accessed my bank account (if you knew which one I used)!

You can check whether your email account has been compromised on https://haveibeenpwned.com which searches through databases of past leaks.

Create your passwords based on personal experiences

When I realized how incredibly dangerous using the same password everywhere is, albeit prefixed with the name of the website, I switched to a different strategy.

Remember security questions that ask you for the name of your first teacher, your first pet, or the street you grew up on? Those are deeply personal things that hackers would have a harder time figuring out than, say, your birthday. The same principles can be applied to creating a strong password.

Without giving up my specific pattern, it’s a combination of the name of people who are personally important to me, combined with something that has shared meaning to both of us, with some special characters thrown in. Some fictional examples using a similar pattern would be:

!martin$hiking@laketahoe

!jane$speaker@vienna

!peter$skiing@thealps

In this case, the password starts with !, followed by the name of the person, then $ + some activity when we met, then @ + the location. In the case of Martin, perhaps we met while hiking in lake Tahoe. Or Jane was a speaker at a conference in Vienna. Or me and Peter are both passionate about skiing and went on a trip to the Alps once.

Maybe you’ll use the name of your school teachers over the years, or have had lots of pets and can use their names, combined with a unique memory you have of them.

The idea is to build a story around your password — once you do that, you can more easily remember it and associate it with the specific website.

You can also use a passphrase, which is likely to be much stronger than a regular password, and throw in some special characters for websites that require those.

Use a password generator for non-essential accounts

If you’re finding it impractical to remember more than 5–6 passwords at a time, you should consider using a service like LastPass. Personally, I use Google Chrome-generated passwords when registering for most services. This saves me a great deal of time and I only have to remember the 3–4 passwords I created for my most important accounts.

🔚 Conclusion

Despite my lack of attention and common sense, I got lucky, because Google protected my account. Also, the password was unique and not used anywhere else. I’ve now changed all my most important passwords and re-enabled 2-factor authentication — this experience has helped me take cyber security seriously again.

Hopefully this post helped at least one person keep their account safe!

Have you had experiences with phishing or other scams? Any useful tips for protecting our online accounts? Let’s talk about it in the comments 👇

--

--

Vlad Sabev
Vlad Sabev

Written by Vlad Sabev

🔧 DIY builder & web tinkerer

No responses yet