Despite data breaches and hacks of major companies including retailers and financial services providers, Internet users are still relying on the same passwords for several websites, a new study by Google found.
Considered a big no-no by any respectful security professional, Google announced in a recent study that 1.5% of logins on the web involve credentials that were already compromised.
Google wants to create a privacy-preserving protocol
The research was borne out of Google's desire to create a privacy-preserving protocol that would enable an end-user, password manager or identity provider to see if a specific username and password combination has been breached without revealing the information being searched. To demonstrate the feasibility of this protocol Google developed a cloud service that mediates access to more than 4 billion credentials found in breaches and a Chrome extension that acted as the initial client.
In February Google launched its Password Checkup extension tool for Chrome that warns users if they log into a website using a compromised username and password. The extension was developed in conjunction with cryptography experts at Standford University to ensure Google never knows the usernames and passwords. Since making it available Google said it has more than 650,000 users taking part in the experiment. "In the first month alone, we scanned 21 million usernames and passwords and flagged over 316,000 as unsafe—1.5% of sign-ins scanned by the extension," Google said in a report.
Some alerted users didn't bother to change their passwords
Of the users who were alerted to the status of their username and passwords, Google said 26% changed their password. Users chose to ignore 81,368 or 25.7% of the breach warnings which could be because they didn't think the account is worth the effort to change the password or it could be that the account is a shared one within a household. The researchers said it could also be due to a lack of understanding about the Chrome extension. Of the users who did change their passwords, Google found they increased the strength once being alerted to the breached information.
"Protecting accounts from credential stuffing attacks remains burdensome due to an asymmetry of knowledge: attackers have wide-scale access to billions of stolen usernames and passwords, while users and identity providers remain in the dark as to which accounts require remediation," wrote Google. "Our study illustrates how secure, democratized access to password breach alerting can help mitigate one dimension of account hijacking."