Even When Warned, Many Users Do Not Change Breached Passwords

Google has launched its Password Checkup service on chrome, which displays a warning to users when they login to a website using a password that is known to have been compromised in a previous data breach. Each username is checked against a database of more than 5 billion compromised logins. If the password used matches one associated with the same username in the database, the warning is triggered.

The chrome extension has been added by around 650,000 users and it was used to scan 21 million credentials in the first month following its launch. This week, Google has released some interesting data from the Password Checkup service. Chrome users have gone to the trouble of installing the extension to check for account vulnerabilities, yet many users are ignoring the warnings. Only 26% of the compromised username/password combos have been reset.

When the warnings are heeded, Chrome users are bad at selecting strong passwords. Google notes that in 40% of cases, the new password is not sufficiently robust to withstand brute force attempts to guess the password. Outside of the most popular websites, users were two and a half times more likely to reuse a vulnerable password.

The percentage of users that are reusing their passwords are low but are of concern. Thousands of users are reusing their passwords on multiple accounts, and in many cases, on sensitive sites such as banking websites, for email accounts, and government logins. Even when users are made aware that their username/password combo is known to cybercriminals, passwords are not reset.

The sites where password reuse is most common are those related to entertainment. On those sites, 6.3% of users reused a vulnerable password. 0.5% of individuals used a vulnerable password for their email, and 0.3% of users reused a vulnerable password on a finance website and 0.2% on government websites. 1.2% of users reused a vulnerable password on an online shopping website, which often store the credit card details of users.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news