Alerted to exposed credentials, users do something about it roughly a quarter of the time
Between February and March this year, after Google released a Chrome extension called Password Checkup to check whether people’s username and password combinations had been stolen and leaked from website databases, computer scientists at the biz and Stanford University gathered anonymous telemetry from 670,000 people who installed the add-on.
On Friday, the boffins – Kurt Thomas, Jennifer Pullman, Kevin Yeo, Ananth Raghunathan, Patrick Gage Kelley, Luca Invernizzi, Borbala Benko, Tadek Pietraszek, and Sarvar Patel, and Elie Bursztein from Google, with Dan Boneh from Stanford – presented a paper describing the results of their data gathering at the USENIX Security conference.
The paper [PDF], titled “Protecting accounts from credential stuffing with password breach alerting,” reveals that about 1.5 per cent of logins on the web involves credentials that have been exposed online.
“During this measurement window, we detected that 1.5 per cent of over 21 million logins were vulnerable due to relying on a breached credential – or one warning for every two users,” the paper says, noting that the figure is significantly less than a 2017 study where the rate was 6.9 per cent.
For the 28 day period, 316,531 logins involved leaked credentials. Warnings sent to users were then ignored about a quarter of the time (26 per cent); these notifications also resulted in password resets about 26 per cent of the time.
The researchers suggest three potential explanations: that users may not believe the risk is worth the effort of adopting a new password; that users may not be in full control of the account (eg. a shared household account); or that there’s insufficient guidance about how to reset a password.
What should password managers not do? Leak your passwords? What a great idea, LastPass
Despite the fact their security advice may be ignored, they conclude, “Our results highlight how surfacing actionable security information can help mitigate the risk of account hijacking.”
The risk, to which the title of the paper alludes, is credential stuffing, which involves gathering easily obtained sets of exposed credentials – usernames and passwords harvested from specific websites – and crafting code that attempts to use those credentials on a massive number of other websites, in the hope of finding login details that have been reused.
Credential stuffing attacks have become popular because there are so many compromised accounts available in online databases – 25 billion username and password pairs, according to internet plumbing giant Akamai.
The biz earlier this year said in its report on the subject said there were hundreds of millions of credential stuffing attacks carried out every day in 2018, with a three-day peak of 250 million brute force login attempts.
The eggheads from Google and Stanford found that users of the Password Checkup extension reused hacked credentials across more than 746,000 domains. “The risk of hijacking was highest for video streaming and adult sites, where 3.6–6.3 per cent of logins relied on breached credentials,” their paper says.
Google appears to be convinced that having Chrome check for leaked passwords would benefit everyone using the browser. A Chromium bug report suggests the capability will be built into a future update. ®