A new Google study disclosed that it flagged as unsafe some 316,000 users that continue to utilize already-hacked passwords. Google gathered this information based on website log-ins and data collected from the Password Checkup extension on Google Chrome.
"The study illustrates how secure, democratized access to password breach alerting can help mitigate one dimension of account hijacking," Google posted on its security blog.
The research was released as part of the USENIX Security Symposium.
Password Checkup Extension
The extension displays a warning whenever users sign-in to a site using one of over 4 billion usernames and passwords that Google knows to be unsafe due to a third-party data breach.
In the first month of its launch in February, Google scanned 21 million usernames and passwords and found that 1.5 percent of sign-ins scanned by the extension are risky. Google said users are more likely to reuse vulnerable passwords, further putting their account at risk of hijacking.
Based on the anonymous telemetry reported by the Password Checkup extension, users most often reuse vulnerable passwords on certain websites such as news and entertainments sites. The risks are most prevalent on shopping sites where users may save credit card details.
The research added that the risk of account hijacking was the highest for video streaming and porn websites wherein up to 6.3 percent of users were logging in using breached credentials.
"Our research shows that users opt to reset 26 percent of the unsafe passwords flagged by the Password Checkup extension. Even better, 60 percent of new passwords are secure against guessing attacks —meaning it would take an attacker over a hundred million guesses before identifying the new password," a Google blog post stated.
How To Protect Your Passwords Credentials
Among the biggest risks of not changing compromised passwords is credential stuffing. This type of cyberattack allows hackers to take combinations of usernames and passwords from previous data breaches and use them to gain illegal access or brute-force accounts on new sites. When a match is found, hackers can take over the victim’s account.
Recent credential-stuffing incidents have affected Dunkin Donuts and insurance provider State Farm. With Dunkin Donuts's case, hacked customer accounts were sold on Dark web forums.
The study proposes a privacy-preserving protocol wherein a client can look up a centralized breach repository to know if a specific username and password combination is publicly exposed. This is possible without revealing the information queried. According to Google, the client making the query can be an end-user, a password manager, or an identity provider.