Google is again urging Gmail users to abandon passwords for enhanced account security, citing increasing global scam threats and AI misuse by organized crime groups.
Google confirms that “Scams continue to be a persistent global challenge,” driven by “transnational crime groups who seek to exploit vulnerable people online for financial gain.” These groups include Chinese organized criminal gangs targeting Android and iPhone users with malicious text messages. Threats are escalating, with “57% of adults experienced a scam in the past year, with 23% reporting money stolen.” Scammers are also “increasingly misusing AI tools to efficiently scale and enhance their schemes.”
Most cyberattacks aim to access accounts across platforms like Google, Microsoft, Apple, Facebook, and Amazon, as well as various financial institutions. This access is typically sought through phishing emails, malicious texts, imposter hacker calls, or fraudulent pop-ups, all directing users to “Enter your username and password here.”
Google initially advised transitioning from passwords to passkeys in 2023. This recommendation is not due to a breach but because passkeys offer superior protection.
Fast Company highlighted Google’s stance, stating, “Google is telling users to change their passwords, but not because of a breach that exposed them. In fact, Google’s real advice is to stop using your password altogether.”
183M Gmail passwords exposed via infostealer malware
The company explains, “When you use a passkey to sign in to your Google Account, it proves to Google that you have access to your device and are able to unlock it.” This mechanism means “passkeys protect you against phishing and any accidental mishandling that passwords are prone to, such as being reused or exposed in a data breach.” Even after addressing misreporting about alleged Gmail password leaks, Google reiterates that “adopting passkeys is a stronger and safer alternative to passwords.” A recent report listed 394 million unique Gmail addresses in a compilation of breached username and password data.
Microsoft also recommends users entirely delete passwords from their accounts. Google’s approach allows users to bypass both the password and two-step verification (2SV) when using a passkey. Passkeys are sufficiently robust to substitute for security keys in the Advanced Protection Program. The company also stated it will “pay closer attention to the sign-ins that fall back to passwords,” thereby tightening account security. Google is at the forefront of passkey adoption, experiencing a “352% increase in the past year.”
The imperative to secure Google/Gmail accounts is heightened by the extensive use of Google credentials for authenticating with other online services. Dashlane reports that Google “commands half of all passkey authentication activity measured in our dataset,” and its volume “dwarfs that of other platforms.” Google functions as a Single Sign-On (SSO) provider, enabling users to access numerous other domains.
Research by NordPass on the security of the “1,000 most visited websites in the world” revealed that “39% (of the websites) offer single sign-on (SSO),” with Google powering “9 out of 10 SSO options.” Consequently, if a Google username and password are compromised without stronger security, multiple connected accounts are at risk. NordPass further notes that “up to 86% of all basic web application attacks use stolen credentials for initial access” and “the average user has around 170 passwords.”
NordPass concurs with Google that “passkeys are the answer,” endorsed by the FIDO Alliance as the modern resolution to password issues. It highlights that “bad password habits don’t just recur out of user convenience—in fact, the websites themselves push users to take the easier way out by not enforcing strict password requirements and supporting weak credential use.”
