Sophos Cloud Optix
If you were told that the password you had just entered was known to have been compromised in a data breach, what would you do?
Presumably, the answer is ‘change it immediately’. And yet, according to Google, only one in four users of its Password Checkup Chrome extension decided to do just that when told the same bad news.
Introduced in February, Password Checkup compares a hashed version of every user password entered against a database of four billion that Google knows to have been compromised in breaches.
If it notices a match for a password and username combination, the user can either continue to log in (i.e. ignore it but be warned the next time), log in and change it, or ignore the warning by clicking ‘close’.
Doing the password comparison securely is more technically complicated than it sounds but suffice to say Google went to some lengths to solve the problem.
What it hasn’t yet managed to solve is the bigger problem of user apathy.
The most surprising part of Google’s finding is that these users were among the 650,000 who were motivated enough about security to download the tool in the first place.
In month one alone, Google says it scanned 21 million usernames and passwords, flagging 316,000 or 1.5% as having been part of a breach (a stat that excludes trivial passwords such as ‘12345’, which the tool doesn’t warn against to avoid overstating the obvious).
There is some good news – 60% of those who changed their potentially compromised passwords chose ones that would be hard to guess.
Password reuse
The question is why a significant number of people among the early adopters of a password advice tool choose to ignore its warnings.
The answer seems to be that even relatively cautious users hugely underestimate the danger of password re-use.
There is no doubt that a lot of people still re-use passwords despite being warned not to, but it seems they re-use some more than others.
Google found that people are less likely to re-use passwords across well-known sites, such as government and finance (0.2% and 0.3% reuse respectively), and email (0.5%).
By the time you get to shopping (1.2%), news (1.9%) and entertainment (6.3%), things start to deteriorate.
Unfortunately, from the attacker’s point of view, this matters not. Once criminals have access to a reused password (specifically, weak ones), the power of credential stuffing means that the clock is ticking on another site somewhere.
Beyond simply abolishing passwords altogether as a form of authentication, the brave answer might be for tools such as Password Checkup (and Firefox’s equivalent-but-not-identical, Firefox Monitor) to start nagging users more assertively.
It’s unlikely that browser makers have the stomach for this yet but if it comes to pass, the pestering could push more users to better alternatives such as password managers and two-factor authentication.
Is this checking the password in combination with the user name? Or just the password to see if anyone anywhere ever used it? I get not reusing passwords with the same username. But if some random person happened to use a password with a user name not in any way associated with my username, why should I care?
Because those passwords are part of giant file that hackers are using to brute force accounts.
Many programs only allow for three or four error password tries,! How is it possible to brute-force this type of log-on?
It’s because they use botnets to try millions of different accounts at once instead of hammering away at just one account. Since each account is hit only a couple times, they don’t get locked.
It relates to the individual so it’s a combination of the two.
(A password match alone would strongly indicate that a weak or guessable password had been used. There are online checkers which can spot these.)
The problem with using any password that is already known is that it will appear in the “dictionary” used during brute force attacks. In other words, it’s bound to be one of the passwords they’ll try to use when attempting to log into your bank account, whether you’ve used it anywhere else or not.
Most people are just downright stubborn. They usually ignore warnings and blame Google for the hack when they’ve already been warn. People are going to freak out once 2FA becomes a standard.
We’re moving away from two factor and into password-less authentication. Waze already does this. You don’t use a password to log in, you use the code they send to you via SMS text message. Other ways will be via specialized devices that generate the code based on a time algorithm, etc.
if it were me using the google browser tool and it informed me that one or more of my passwords had been compromised, i would click the ignore option and then login to the site from a browser (NOT using the chrome password tool) and change my password from there instead.
i wonder how many of the 40% of users google reports didnt change their password through their browser extension actually changed their password the way i would have ? (which by the way would be the correct method since it would lessen the risk)
It is my understanding that the chrome (Chromium) automated login “feature” will only remember the first password entered. If you change a password on a a site and try to login with that “feature” enabled it will still use your first password to try and log onto the site. (so I have been told)
this is correct, I have changed my passwords via the websites needing to be changed. Google Chrome the next time I went to log in tried to auto fill my old user name and password. This will continue to happen, unless you either (a) delete old password from chrome (b) delete old and save new. Also; if you auto sync your phone across platforms; now I am not positive on this; but you will probably have to go to the other devices go into chrome and delete these old passwords here too. Unfortunately, do not believe there is any other way to accomplish this task.
Presumably you mean using a browser other than Chrome. I’m not sure how this would make the process of changing a password more secure though.
Apologies I am being a little slow on the uptake, but how is resetting your password from a different browser more secure than doing so through Chrome? If you are suspicious of Google then if its a google account you are resetting it wouldn’t matter if you believe Google know your passwords anyway, if some other non google account then maybe but I am sure despite privacy concerns i cannot believe that Google want to capture your password in clear text for themselves.
Is it also possible that the extension doesn’t differentiate between high and low value sites? Sometimes if I need to log on with my phone (which is not connected to a password manager) , I will reuse an old, likely breached password if I haven’t decided to commit to the service yet. It’s not until I decide to commit that I select a harder to enter or remember password.
The problem is that many people think this way and end up forgetting to change that password later. Then they get mad when the account gets taken over. It’s best to give every account a strong password and let a password manager deal with it.
The password “changeme” frequently show up near in those lists of “the top N worst passwords”…
John F Dunn,
The closing of your article is alarming!
DO not recommend 2FA, because of the following WELL KNOWN REASONS:
a. Super easy to trick user with an identical page requiring 2FA yet, misspelling just one character in the domain name
b. Phone numbers are too easy to spoof.
Finally, the recommendation of password managers that rely on primitive verification methods, all of them, is serious.
The reliance on centralized systems has been the demise of societies at large.
Before you write articles, please educate further and test your knowledge.
Walter Moss
PS: Let’s see if you caught it.
You seem to be suggesting that password managers are useless (or worse) because they *all* rely on primitive verification methods. I simply don’t think that’s correct. And if it’s a choice between your browser’s password manager and putting your cat’s name in every time, then you might as well pick the lesser of two evils anyway.
I agree that many 2FA systems can be phished in parallel with your username and password, for example if all you need to do is put in a code that’s generated offline by your phone. But my opinion is is that username+password+2FA of that sort is, ipso facto, no worse than username+passsword alone, so you might as well use it. After all, your password can get stolen by many other routes, and is valid to the crook indefinitely, whereas a 2FA code is valid once.
I have heard of numerous cases where plaintext or recoverable passwords have been breached from a service provider, but only know of one case where 2FA token seeds were breached – and that was from RSA, no less, but those seeds weren’t breached along with any passwords. in other words, your password may be recovered by crooks *without any phishing needed*, but if that sort of password crack almost certainly won’t also give the crooks the ability to clone your 2FA code sequence…
…so you win.
As long as your own liability isn’t increased by adopting 2FA (e.g. by a sleazy service provider who insists in thes mall print that once 2FA is turned on, you take on more potential blame in the case of a breach) I can’t see how it can make things worse – especially as an increasing number of 2FA interaction are much harder to ‘man-in-the-middle’. For example, I use a phone-message-based 2FA service for one of my accounts in which the “approve the transaction” message I get shows me the IP number that initiated the login attempt. If I were being phished via a fake login page, the subterfuge would immediately be uncovered by the 2FA message, because it would show that my own browser, where I already put in username+password, was not in fact where the login started. (Sure, I might forget to check the IP number. I could also forget to lock my bicycle up when I go into town… but I don’t.)
You’re right that some 2FA systems can be spoofed although the incidence of this is still low relative to their use. As for the most secure types – hardware tokens – these are extremely secure. It’s incorrect to lump all 2FA systems into the same in terms of their risk.
As for password managers, while the data is backed up to the cloud, the keys used to decrypt it never leave the user’s computer (or token, in the case of a FIDO key). Feel free to explain why this is less secure than using no password manager at all but I take some convincing!
John F Dunn,
The closing of your article is alarming!
DO not recommend 2FA, because of the following WELL KNOWN REASONS:
a. Super easy to trick user with an identical page requiring 2FA yet, misspelling just one character in the domain name
b. Phone numbers are too easy to spoof.
Finally, the recommendation of password managers that rely on primitive verification methods, all of them, is serious.
The reliance on centralized systems has been the demise of societies at large.
Before you write articles, please educate further and test your knowledge.
Walter Moss
PS: Let’s see if you caught it.
I do know that that report is most likely flawed. I have received that warning on that extension, gone on into the site, changed my password, to which all of my passwords are unique for each site, and the next day the same message came back up saying the same thing, to change my password because that site was part of a breach.
I have clicked ignore on it countless times. Only one time has it triggered on a place where I wanted the warning. All the other times I ignored it, it was because I was developing on a local websites and it loves to tell me how my 123 password isn’t secure. It’s like Goooooooogle I know, the sites not even accessible to the web.
So I wonder if people like me are contributing to that 1 in 4 stat, because right now I bet it’s a lot of more tech savvy people using it. I’m hitting “ignore this site” not because I don’t care, but because I don’t care about it to run on my local sites.
As I understand it, it is designed not to warn you about trivial passwords to avoid alert overload and shouldn’t trigger on an internal address. Baffled by that one.
What it hasn’t yet managed to solve is the bigger problem of user apathy
it is not apathy that we ignored that warning. First, i never downloaded an extension to check such things. second, it looks to be a hack itself. SURE, you have been compromised and you need to open your passwords and check them NOW.. what idiot would do that? maybe it’s not apathy or just common sense? According to your logic, i should go through my spam msg’s and believe all those phishing scams too?
Please Google and stop warning me about my password. I don’t want to change it. It is good as it is.
Nope, not apathy, more likely confusion and suspicion of some popup telling them all their passwords are comprised, and to go change them all. This sure as hell was my first thought when seeing this…(Nobody bothered to tell me about this new service from Google)
I know for me personally, it’s not apathy, it’s being overwhelmed. Let’s say I have a hundred accounts on various websites (and that’s probably a conservative estimate as essentially every website you go on wants you to create an account). Now recently I’ve started getting the notification regarding passwords impacted by this data breach… it would literally take me an entire day or more to go through my list of passwords and change every single one of them. So again, my reaction is not one of apathy, but one of ‘who tf has time for this?!’
Exactly my situation. I have about 100 passwords flagged. I go through and find the important accounts and change those passwords. I ignore the rest of the warnings. I am a very technical user, and would be glad to have those passwords changed, but I am not going to spend hours of my life doing it.
This is very scary for me as an elderly disabled person, even McAfee is showing as compromised, so, not having the abilities of most of your posters, (no disrespect intended), I feel I have no alternative than to disconnect from the net altogether. However, this itself will provide more problems in that ‘life’ today does not allow us non-users a way to easily run our everyday life, but in reality, your comments above seem to state we are moving forward, when in fact, we are going back to the dark ages surely,
I am well aware that technology in general knows that we uneducated elder citizens only have a very few years left to be on earth so are not to be seriously considered, but there will always be ‘the less educated’ amongst society, not to mention those who cannot afford to be computer literate, but they too, are, it seems, not to be considered.
I have, after, writing this, disconnected all my ‘gadget’ that were supposed to assist me in my day to day life, and will sit here and wait for life to come to me!
Loved the previous comment
From another senior,
Stupid question: does Google know all my passwords and usernames unencrypted and therefore this information is available to be hacked?
I apologize I have not thoroughly reviewed the previous comments
The deal with a breached password is that if you used the same password on site Y as you did on site X, and your password from site X gets leaked publicly, then *everyone in the world*, including Google, knows what your password is on site Y.
So never reuse passwords, and if change passwords if you know they have been breached!
This is really annoying because there is no provision to include/exclude websites. The d**n browser warns me every time I log into my internal server at home with an intentionally weak password and a “localhost” like IP address that no one from the internet can never get into!!!
Why have a password at all if you are going to set it to a weak one? Just set a proper password and that way you don’t need to worry whether your claim that “no one can ever get at it” is true or not. (Remember that a dodgy website you visit on the outside can link to URLs on your local network and could therefore have a guess that way.)
How do I turn this off for localhost, or a local subnet?
Turns out you can’t, it’s either globally on or globally off. Seeing this on any request to localhost:3000/login is insane so for me it’s off.
Try setting proper passwords for *all* your login pages, even unimportant ones. You will not regret it. If an account is unimporant enough to allow bad passwords, don’t use a password at all.
This is all misleading. Loads of people on other sites report changing their passwords, but the warning still appears. Same for me. So basically, it’s either fake, or malware.