If you were told that the password you had just entered was known to have been compromised in a data breach, what would you do?
Presumably, the answer is ‘change it immediately’. And yet, according to Google, only one in four users of its Password Checkup Chrome extension decided to do just that when told the same bad news.
Introduced in February, Password Checkup compares a hashed version of every user password entered against a database of four billion that Google knows to have been compromised in breaches.
If it notices a match for a password and username combination, the user can either continue to log in (i.e. ignore it but be warned the next time), log in and change it, or ignore the warning by clicking ‘close’.
Doing the password comparison securely is more technically complicated than it sounds but suffice to say Google went to some lengths to solve the problem.
What it hasn’t yet managed to solve is the bigger problem of user apathy.
The most surprising part of Google’s finding is that these users were among the 650,000 who were motivated enough about security to download the tool in the first place.
In month one alone, Google says it scanned 21 million usernames and passwords, flagging 316,000 or 1.5% as having been part of a breach (a stat that excludes trivial passwords such as ‘12345’, which the tool doesn’t warn against to avoid overstating the obvious).
There is some good news – 60% of those who changed their potentially compromised passwords chose ones that would be hard to guess.
Password reuse
The question is why a significant number of people among the early adopters of a password advice tool choose to ignore its warnings.
The answer seems to be that even relatively cautious users hugely underestimate the danger of password re-use.
There is no doubt that a lot of people still re-use passwords despite being warned not to, but it seems they re-use some more than others.
Google found that people are less likely to re-use passwords across well-known sites, such as government and finance (0.2% and 0.3% reuse respectively), and email (0.5%).
By the time you get to shopping (1.2%), news (1.9%) and entertainment (6.3%), things start to deteriorate.
Unfortunately, from the attacker’s point of view, this matters not. Once criminals have access to a reused password (specifically, weak ones), the power of credential stuffing means that the clock is ticking on another site somewhere.
Beyond simply abolishing passwords altogether as a form of authentication, the brave answer might be for tools such as Password Checkup (and Firefox’s equivalent-but-not-identical, Firefox Monitor) to start nagging users more assertively.
It’s unlikely that browser makers have the stomach for this yet but if it comes to pass, the pestering could push more users to better alternatives such as password managers and two-factor authentication.
Is this checking the password in combination with the user name? Or just the password to see if anyone anywhere ever used it? I get not reusing passwords with the same username. But if some random person happened to use a password with a user name not in any way associated with my username, why should I care?
Because those passwords are part of giant file that hackers are using to brute force accounts.
Many programs only allow for three or four error password tries,! How is it possible to brute-force this type of log-on?
It’s because they use botnets to try millions of different accounts at once instead of hammering away at just one account. Since each account is hit only a couple times, they don’t get locked.
It relates to the individual so it’s a combination of the two.
(A password match alone would strongly indicate that a weak or guessable password had been used. There are online checkers which can spot these.)
The problem with using any password that is already known is that it will appear in the “dictionary” used during brute force attacks. In other words, it’s bound to be one of the passwords they’ll try to use when attempting to log into your bank account, whether you’ve used it anywhere else or not.
Most people are just downright stubborn. They usually ignore warnings and blame Google for the hack when they’ve already been warn. People are going to freak out once 2FA becomes a standard.
We’re moving away from two factor and into password-less authentication. Waze already does this. You don’t use a password to log in, you use the code they send to you via SMS text message. Other ways will be via specialized devices that generate the code based on a time algorithm, etc.
if it were me using the google browser tool and it informed me that one or more of my passwords had been compromised, i would click the ignore option and then login to the site from a browser (NOT using the chrome password tool) and change my password from there instead.
i wonder how many of the 40% of users google reports didnt change their password through their browser extension actually changed their password the way i would have ? (which by the way would be the correct method since it would lessen the risk)
It is my understanding that the chrome (Chromium) automated login “feature” will only remember the first password entered. If you change a password on a a site and try to login with that “feature” enabled it will still use your first password to try and log onto the site. (so I have been told)
Presumably you mean using a browser other than Chrome. I’m not sure how this would make the process of changing a password more secure though.
Apologies I am being a little slow on the uptake, but how is resetting your password from a different browser more secure than doing so through Chrome? If you are suspicious of Google then if its a google account you are resetting it wouldn’t matter if you believe Google know your passwords anyway, if some other non google account then maybe but I am sure despite privacy concerns i cannot believe that Google want to capture your password in clear text for themselves.
Is it also possible that the extension doesn’t differentiate between high and low value sites? Sometimes if I need to log on with my phone (which is not connected to a password manager) , I will reuse an old, likely breached password if I haven’t decided to commit to the service yet. It’s not until I decide to commit that I select a harder to enter or remember password.
The problem is that many people think this way and end up forgetting to change that password later. Then they get mad when the account gets taken over. It’s best to give every account a strong password and let a password manager deal with it.
The password “changeme” frequently show up near in those lists of “the top N worst passwords”…
John F Dunn,
The closing of your article is alarming!
DO not recommend 2FA, because of the following WELL KNOWN REASONS:
a. Super easy to trick user with an identical page requiring 2FA yet, misspelling just one character in the domain name
b. Phone numbers are too easy to spoof.
Finally, the recommendation of password managers that rely on primitive verification methods, all of them, is serious.
The reliance on centralized systems has been the demise of societies at large.
Before you write articles, please educate further and test your knowledge.
Walter Moss
PS: Let’s see if you caught it.
You seem to be suggesting that password managers are useless (or worse) because they *all* rely on primitive verification methods. I simply don’t think that’s correct. And if it’s a choice between your browser’s password manager and putting your cat’s name in every time, then you might as well pick the lesser of two evils anyway.
I agree that many 2FA systems can be phished in parallel with your username and password, for example if all you need to do is put in a code that’s generated offline by your phone. But my opinion is is that username+password+2FA of that sort is, ipso facto, no worse than username+passsword alone, so you might as well use it. After all, your password can get stolen by many other routes, and is valid to the crook indefinitely, whereas a 2FA code is valid once.
I have heard of numerous cases where plaintext or recoverable passwords have been breached from a service provider, but only know of one case where 2FA token seeds were breached – and that was from RSA, no less, but those seeds weren’t breached along with any passwords. in other words, your password may be recovered by crooks *without any phishing needed*, but if that sort of password crack almost certainly won’t also give the crooks the ability to clone your 2FA code sequence…
…so you win.
As long as your own liability isn’t increased by adopting 2FA (e.g. by a sleazy service provider who insists in thes mall print that once 2FA is turned on, you take on more potential blame in the case of a breach) I can’t see how it can make things worse – especially as an increasing number of 2FA interaction are much harder to ‘man-in-the-middle’. For example, I use a phone-message-based 2FA service for one of my accounts in which the “approve the transaction” message I get shows me the IP number that initiated the login attempt. If I were being phished via a fake login page, the subterfuge would immediately be uncovered by the 2FA message, because it would show that my own browser, where I already put in username+password, was not in fact where the login started. (Sure, I might forget to check the IP number. I could also forget to lock my bicycle up when I go into town… but I don’t.)
You’re right that some 2FA systems can be spoofed although the incidence of this is still low relative to their use. As for the most secure types – hardware tokens – these are extremely secure. It’s incorrect to lump all 2FA systems into the same in terms of their risk.
As for password managers, while the data is backed up to the cloud, the keys used to decrypt it never leave the user’s computer (or token, in the case of a FIDO key). Feel free to explain why this is less secure than using no password manager at all but I take some convincing!
John F Dunn,
The closing of your article is alarming!
DO not recommend 2FA, because of the following WELL KNOWN REASONS:
a. Super easy to trick user with an identical page requiring 2FA yet, misspelling just one character in the domain name
b. Phone numbers are too easy to spoof.
Finally, the recommendation of password managers that rely on primitive verification methods, all of them, is serious.
The reliance on centralized systems has been the demise of societies at large.
Before you write articles, please educate further and test your knowledge.
Walter Moss
PS: Let’s see if you caught it.
I do know that that report is most likely flawed. I have received that warning on that extension, gone on into the site, changed my password, to which all of my passwords are unique for each site, and the next day the same message came back up saying the same thing, to change my password because that site was part of a breach.
I have clicked ignore on it countless times. Only one time has it triggered on a place where I wanted the warning. All the other times I ignored it, it was because I was developing on a local websites and it loves to tell me how my 123 password isn’t secure. It’s like Goooooooogle I know, the sites not even accessible to the web.
So I wonder if people like me are contributing to that 1 in 4 stat, because right now I bet it’s a lot of more tech savvy people using it. I’m hitting “ignore this site” not because I don’t care, but because I don’t care about it to run on my local sites.
As I understand it, it is designed not to warn you about trivial passwords to avoid alert overload and shouldn’t trigger on an internal address. Baffled by that one.
What it hasn’t yet managed to solve is the bigger problem of user apathy