Google has released details of a study which suggests around 1.5 percent of actively-used web credentials have been previously disclosed in data breaches, based on information gathered by a password checking Chrome extension the company released earlier this year.
Data breaches are bad news: Even if a company isn't daft enough to store usernames, passwords, and even biometric information in a plain-text format, weaker passwords can be quickly brute-forced or processed using a rainbow table to match hashes to their plain-text equivalents. While it's easy for a company to tell its users to change their passwords post-breach, it opens them up to so-called 'credential stuffing' attacks - taking the usernames and passwords from one breach and trying them on as many other sites as possible, catching out anyone who has reused usernames and passwords between services.
Earlier this year, Google launched a breach notification extension for its Chrome browser. Dubbed Password Checkup, the extension would monitor credentials for their presence on breach notification services like Have I Been Pwned. In the one month period after its launch, the extension had been installed on almost 670,000 machines - and around 1.5 percent of the logins monitored were found to have been disclosed in prior breaches.
Not everyone who was alerted to the fact their password is out in the wild for all to see paid heed to the notice, however - despite having apparently cared enough to have installed the extension in the first place. Only 26 percent of those receiving a notification that their password had been disclosed bothered to change to a new password, though in happier news 94 percent of the new passwords were at least as strong if not stronger than the originals.
The company's report also breaks its findings down into content categories, finding that entertainment sites had the highest incidence of passwords having been breached at 6.3 percent, while adult entertainment sites were next at 3.6 percent. Financial and government websites, meanwhile, were the least likely to have had passwords disclosed, at 0.3 percent and 0.2 percent respectively.
Google's analysis builds on earlier research which pegged the number of breached passwords at 6.9 percent. At 1.5 percent, Google's latest findings are considerably lower, but the company's researchers warn against concluding that things are improving: Instead it suggests that the self-selecting nature of the sample group, made up as it is of people who specifically sought out and manually installed a password-checking extension, is likely to mean a more security-conscious mindset, while the fact the analysis didn't capture dormant or abandoned accounts could drop the figure still further.
The full paper, Protecting Accounts from Credential Stuffing with Password Breach Alerting, can be found on Google's AI research site.
September 16 2019 | 14:00