Securing your WiFi network

This post is part of a regular series of privacy and security tips to help you and your family stay safe and secure online. Privacy and security are important topics—they matter to us, and they matter to you. Building on our Good to Know site with advice for safe and savvy Internet use, we hope this information helps you understand the choices and control that you have over your online information. -Ed.

More than a quarter of Internet users worldwide use WiFi at home to connect to the web, but many aren't sure how to protect their home network, or why it is important to do so. The best way to think of your home WiFi network is to think of it like your front door: you want a strong lock on both to ensure your safety and security.

When data is in transit over an unsecured WiFi network, the information you’re sending or receiving could be intercepted by someone nearby. Your neighbors might also be able to use the network for their own Internet activities, which might slow down your connection. Securing your network can help keep your information safe when you’re connecting wirelessly, and can also help protect the devices that are connected to your network.

If you’re interested in improving your home WiFi security, the steps below can help make your home network safer.

1. Check to see what kind of home WiFi security you already have.
Do your friends need to enter a password to get on your network when they visit your house for the first time and ask to use your WiFi? If they don’t, your network isn’t as secure as it could be. Even if they do need to enter a password, there are a few different methods of securing your network, and some are better than others. Check what kind of security you have for your network at home by looking at your WiFi settings. Your network will likely either be unsecured, or secured with WEP, WPA or WPA2. WEP is the oldest wireless security protocol, and it’s pretty weak. WPA is better than WEP, but WPA2 is best.

2. Change your network security settings to WPA2.
Your wireless router is the machine that creates the WiFi network. If you don’t have your home network secured with WPA2, you’ll need to access your router’s settings page to make the change. You can check your router’s user manual to figure out how to access this page, or look for instructions online for your specific router. Any device with a WiFi trademark sold since 2006 is required to support WPA2. If you have a router that was made before then, we suggest upgrading to a new router that does offer WPA2. It’s safer and can be much faster.

3. Create a strong password for your WiFi network.
To secure your network with WPA2, you’ll need to create a password. It’s important that you choose a unique password, with a long mix of numbers, letters and symbols so others can’t easily guess it. If you’re in a private space such as your home, it’s OK to write this password down so you can remember it, and keep it somewhere safe so you don’t lose it. You might also need it handy in case your friends come to visit and want to connect to the Internet via your network. Just like you wouldn’t give a stranger a key to your house, you should only give your WiFi password to people you trust.

4. Secure your router too, so nobody can change your settings.
Your router needs its own password, separate from the password you use to secure your network. Routers come without a password, or if they do have one, it’s a simple default password that many online criminals may already know. If you don’t reset your router password, criminals anywhere in the world have an easy way to launch an attack on your network, the data shared on it and the computers connected to your network. For many routers, you can reset the password from the router settings page. Keep this password to yourself, and make it different from the one you use to connect to the WiFi network (as described in step 3). If you make these passwords the same, then anyone who has the password to connect to your network will also be able to change your wireless router settings.

5. If you need help, look up the instructions.
If you’ve misplaced your router’s manual, type the model number of your base station or router into a search engine—in many cases the info is available online. Otherwise, contact the company that manufactured the router or your Internet Service Provider for assistance.

Please check out the video below to learn more about the simple but important steps you can take to improve the security of your Internet browsing.

For more advice on how to protect yourself and your family online, visit our Good to Know site, and stay tuned for more posts in our security series.

Helping passwords better protect you

Knowing how to stay safe and secure online is important, which is why we created our Good to Know site with advice and tips for safe and savvy Internet use. Starting today, we'll also be posting regularly with privacy and security tips. We hope this information helps you understand the choices and control that you have over your online information. -Ed.

It could be your Gmail, your photos or your documents—whatever you have in your Google Account, we work hard to make sure it’s protected from would-be identity thieves, other bad guys, or any illegitimate attempts to access your information.

But you can also help keep your information safe. Think of how upset you would be if someone else got access to your Google Account without your permission, and then take five minutes to follow the steps below and help make it more secure. Let’s start with the key to unlocking your account—your password:

1. Use a different password for each important service
Make sure you have a different password for every important online account you have. Bad guys will steal your username and password from one site, and then use them to try to log into lots of other sites where you might have an account. Even large, reputable sites sometimes have their password databases stolen. If you use the same password across many different sites, there’s a greater chance it might end up on a list of stolen passwords. And the more accounts you have that use that password, the more data you might lose if that password is stolen.

Giving an account its own, strong password helps protect you and your information in that account. Start today by making sure your Google Account has a unique password.

2. Make your password hard to guess
“password.” “123456.” “My name is Inigo Montoya. You killed my father. Prepare to die!” These examples are terrible passwords because everyone knows them—including potential attackers. Making your passwords longer or more complicated makes them harder to guess for both bad guys and people who know you. We know it’s hard: the average password is shorter than 8 characters, and many just contain letters. In a database of 32 million real passwords that were made public in 2009, analysis showed (PDF) only 54 percent included numbers, and only 3.7 percent had special characters like & or $.

One way to build a strong password is to think of a phrase or sentence that other people wouldn’t know and then use that to build your password. For example, for your email you could think of a personal message like “I want to get better at responding to emails quickly and concisely” and then build your password from numbers, symbols, and the first letters of each word—“iw2gb@r2eq&c”. Don’t use popular phrases or lyrics to build your password—research suggests that people gravitate to the same phrases, and you want your password to be something only you know.

Google doesn’t restrict password length, so go wild!

3. Keep your password somewhere safe
Research shows (PDF) that worrying about remembering too many passwords is the chief reason people reuse certain passwords across multiple services. But don’t worry—if you’ve created so many passwords that it’s hard to remember them, it’s OK to make a list and write them down. Just make sure you keep your list in a safe place, where you won’t lose it and others won’t be able to find it. If you’d prefer to manage your passwords digitally, a trusted password manager might be a good option. Chrome and many web browsers have free password managers built into them, and there are many independent options as well—take a few minutes to read through reviews and see what would be best for your needs.

4. Set a recovery option

Have you ever forgotten your password? Has one of your friends ever been locked out of their account? Setting a recovery option, like an alternate email address or a telephone number, helps give the service provider another way to contact you if you are ever locked out of your account. Having an up-to-date recovery phone or email address is the best thing you can do to make sure you can get back into your account fast if there is ever a problem.

If you haven’t set a recovery option for your Google Account, add one now. If you have, just take a second to make sure it’s up to date.

We have more tips on how to pick a good password on our Help Center, and in the video below:

Your online safety and privacy is important to you, and it’s important to us, too. We’ve made a huge amount of progress to help protect your Google Account from people who want to break into it, but for the time being, creating a unique, strong password is still an important way to protect your online accounts. Please take five minutes today to reset your important passwords using the tips above, and stay tuned for more security tips throughout the summer.

Transparency Report: Shedding more light on National Security Letters

Our users trust Google with a lot of very important data, whether it’s emails, photos, documents, posts or videos. We work exceptionally hard to keep that information safe—hiring some of the best security experts in the world, investing millions of dollars in technology and baking security protections such as 2-step verification into our products.

Of course, people don’t always use our services for good, and it’s important that law enforcement be able to investigate illegal activity. This may involve requests for personal information. When we receive these requests, we:

  • scrutinize them carefully to ensure they satisfy the law and our policies;
  • seek to narrow requests that are overly broad;
  • notify users when appropriate so they can contact the entity requesting the information or consult a lawyer; and
  • require that government agencies use a search warrant if they’re seeking search query information or private content, like Gmail and documents, stored in a Google Account.

When conducting national security investigations, the U.S. Federal Bureau of Investigation can issue a National Security Letter (NSL) to obtain identifying information about a subscriber from telephone and Internet companies. The FBI has the authority to prohibit companies from talking about these requests. But we’ve been trying to find a way to provide more information about the NSLs we get—particularly as people have voiced concerns about the increase in their use since 9/11.

Starting today, we’re now including data about NSLs in our Transparency Report. We’re thankful to U.S. government officials for working with us to provide greater insight into the use of NSLs. Visit our page on user data requests in the U.S. and you’ll see, in broad strokes, how many NSLs for user data Google receives, as well as the number of accounts in question. In addition, you can now find answers to some common questions we get asked about NSLs on our Transparency Report FAQ.

You'll notice that we're reporting numerical ranges rather than exact numbers. This is to address concerns raised by the FBI, Justice Department and other agencies that releasing exact numbers might reveal information about investigations. We plan to update these figures annually.

(Cross-posted on the Public Policy Blog)

An update on our war against account hijackers

Have you ever gotten a plea to wire money to a friend stranded at an international airport? An oddly written message from someone you haven’t heard from in ages? Compared to five years ago, more scams, illegal, fraudulent or spammy messages today come from someone you know. Although spam filters have become very powerful—in Gmail, less than 1 percent of spam emails make it into an inbox—these unwanted messages are much more likely to make it through if they come from someone you’ve been in contact with before. As a result, in 2010 spammers started changing their tactics—and we saw a large increase in fraudulent mail sent from Google Accounts. In turn, our security team has developed new ways to keep you safe, and dramatically reduced the amount of these messages.

Spammers’ new trick—hijacking accounts
To improve their chances of beating a spam filter by sending you spam from your contact’s account, the spammer first has to break into that account. This means many spammers are turning into account thieves. Every day, cyber criminals break into websites to steal databases of usernames and passwords—the online “keys” to accounts. They put the databases up for sale on the black market, or use them for their own nefarious purposes. Because many people re-use the same password across different accounts, stolen passwords from one site are often valid on others.

With stolen passwords in hand, attackers attempt to break into accounts across the web and across many different services. We’ve seen a single attacker using stolen passwords to attempt to break into a million different Google accounts every single day, for weeks at a time. A different gang attempted sign-ins at a rate of more than 100 accounts per second. Other services are often more vulnerable to this type of attack, but when someone tries to log into your Google Account, our security system does more than just check that a password is correct.

Legitimate accounts blocked for sending spam: Our security systems have dramatically reduced the number of Google Accounts used to send spam over the past few years

How Google Security helps protect your account
Every time you sign in to Google, whether via your web browser once a month or an email program that checks for new mail every five minutes, our system performs a complex risk analysis to determine how likely it is that the sign-in really comes from you. In fact, there are more than 120 variables that can factor into how a decision is made.

If a sign-in is deemed suspicious or risky for some reason—maybe it’s coming from a country oceans away from your last sign-in—we ask some simple questions about your account. For example, we may ask for the phone number associated with your account, or for the answer to your security question. These questions are normally hard for a hijacker to solve, but are easy for the real owner. Using security measures like these, we've dramatically reduced the number of compromised accounts by 99.7 percent since the peak of these hijacking attempts in 2011.

Help protect your account
While we do our best to keep spammers at bay, you can help protect your account by making sure you’re using a strong, unique password for your Google Account, upgrading your account to use 2-step verification, and updating the recovery options on your account such as your secondary email address and your phone number. Following these three steps can help prevent your account from being hijacked—this means less spam for your friends and contacts, and improved security and privacy for you.

Safer Internet Day: How we help you stay secure online

Technology can sometimes be complicated, but you shouldn’t have to be a computer scientist or security expert to stay safe online. Protecting our users is one of our top priorities at Google. Whether it’s creating easy-to-use tools to help you manage your information online or fighting the bad guys behind the scenes, we’re constantly investing to make Google the best service you can rely on, with security and privacy features that are on 24-7 and working for you.

Last year, we launched Good to Know, our biggest-ever consumer education campaign focused on making the web a safer, more comfortable place. Today, on Safer Internet Day, we’re updating Good to Know to include more tips and advice to help you protect yourself and your family from identity theft, scams and online fraud. You can also learn how to make your computer or mobile device more secure, and get more out of the web—from searching more effectively to making calls from your computer. And you can find out more about how Google works to make you, your device and the whole web safer.

For example, we encrypt the Gmail and Google Search traffic between your computer and Google—this protects your Google activity from being snooped on by others. We also make this protection, known as session-wide SSL encryption, the default when you’re signed into Google Drive. Because outdated software makes your computer more vulnerable to security problems, we built the Chrome browser to auto-update to the latest version every time you start it. It gives you up-to-date security protection without making you do any extra work.

Even if you don’t use Google, we work hard to make the web safer for you. Every day we identify more than 10,000 unsafe websites—and we inform users and other web companies what we’ve found. We show warnings on up to 14 million Google Search results and 300,000 downloads, telling our users that there might be something suspicious going on behind a particular website or link. We share that data with other online companies so they can warn their users.

We know staying safe online is important to you—and it is important to us too. Please take some time today to make your passwords stronger and turn on 2-step verification to protect your Google Account. Talk with friends and family about Internet safety. And visit our new Good to Know site to find more tips and resources to help you stay safe online.

Transparency Report: What it takes for governments to access personal information

Today we’re releasing new data for the Transparency Report, showing that the steady increase in government requests for our users’ data continued in the second half of 2012, as usage of our services continued to grow. We’ve shared figures like this since 2010 because it’s important for people to understand how government actions affect them.

We’re always looking for ways to make the report even more informative. So for the first time we’re now including a breakdown of the kinds of legal process that government entities in the U.S. use when compelling communications and technology companies to hand over user data. From July through December 2012:
  • 68 percent of the requests Google received from government entities in the U.S. were through subpoenas. These are requests for user-identifying information, issued under the Electronic Communications Privacy Act (“ECPA”), and are the easiest to get because they typically don’t involve judges.
  • 22 percent were through ECPA search warrants. These are, generally speaking, orders issued by judges under ECPA, based on a demonstration of “probable cause” to believe that certain information related to a crime is presently in the place to be searched.
  • The remaining 10 percent were mostly court orders issued under ECPA by judges or other processes that are difficult to categorize.

User data requests of all kinds have increased by more than 70 percent since 2009, as you can see in our new visualizations of overall trends. In total, we received 21,389 requests for information about 33,634 users from July through December 2012.

We’ll keep looking for more ways to inform you about government requests and how we handle them. We hope more companies and governments themselves join us in this effort by releasing similar kinds of data.

One last thing: You may have noticed that the latest Transparency Report doesn’t include new data on content removals. That’s because we’ve decided to release those numbers separately going forward. Stay tuned for that data.