Google’s stealthy sign-in sentry can pick up pilfered passwords

Two things happened on Halloween with a bearing on cybersecurity.

The first is that the 15th year of the National Cyber Security Awareness Month (NCSAM) came to an end. You have heard of NCSAM, right?

The second, apparently timed to coincide with 31 October, was that Google is yet again modifying the background security checks it performs during accounts sign-in as well as modifying its recovery process in the event of unauthorised access. There’s also important news if you’re a hold-out against enabling JavaScript.

The main tweak is that Google is upping its detection of people pretending to be you. If you’re unwittingly tricked into handing over your Google username and password in a phishing attack, all isn’t lost. Google thinks it can distinguish a sign-in by the phishing attacker from a sign-in by you.

Wrote Google product manager, Jonathan Skelker in a blog announcement:

When your username and password are entered on Google’s sign-in page, we’ll run a risk assessment and only allow the sign-in if nothing looks suspicious.

The company is deliberately vague about what signals indicate this but it alluded to similar ideas in the reCAPTCHA v3 announcement from earlier this week.

No JavaScript, no Google

However, distinguishing an unauthorised from a legitimate sign-in requires that you haven’t disabled JavaScript, either completely, in your browser’s settings, or selectively, with a plugin like NoScript. Google reckons around 0.1% of its users do this to counter what they believe is the language’s potential for misuse. However:

We’ll now require that JavaScript is enabled on the Google sign-in page, without which we can’t run this assessment.

Failure to do this will result in the user being confronted with the following error message:

The browser you’re using doesn’t support JavaScript, or has JavaScript turned off. To keep your Google account secure, try signing in on a browser that has JavaScript turned on.

In short, if you’re in the 0.1%, JavaScript will have to be at least temporarily enabled to access Google.