Google has released the results of a large-scale study about password habits that shows why hackers use 'password-spraying' attacks on online accounts: many users stick with the same password, even when they're warned it's been compromised.
Password spraying has emerged as an effective technique to brute-force or guess passwords, as well as to bypass systems that lock accounts after too many wrong guesses.
The US government recently warned that Iranian hackers have been using the method to deploy destructive malware on systems, and hackers used it to gain a foothold in tech company Citrix and from there steal 6TB of information.
The technique involves gathering a huge number of account usernames and hitting logins with a small number of the worst passwords, on the assumption that some percentage of the target group will have used one of them.
Microsoft's research found that the top five used in password-spraying attacks are '123456', 'password', '000000', '1qaz2wsx', and 'a123456'.
Google's data on password habits comes from its study of every one of the 670,000 Chrome users who installed its Password Checkup extension.
The key difference is that at login, Google's Password Checkup warns users if the credentials they are using are among the four billion Google knows have been compromised.
SEE: Can Russian hackers be stopped? Here's why it might take 20 years (TechRepublic cover story) | download the PDF version
Google found that 1.5% of over 21 billion login attempts rely on a breached credential, which were used on about 746,000 different domains.
The biggest category, in terms of logins using compromised credentials, is video streaming and porn sites where 3.6% to 6.3% used them. But it also found 0.2% in government, 0.3% in finance, 0.5% in email, 1.2% in shopping, and 1.9% in news.
As for how users respond to password breach alerts, the study found mixed results. Google found that 25.7% of its alerts, totaling 81,368, did not trigger a password change from users. However, it also found that 26.1% of alerts, totaling 82,761, did result in a password change.
The resulting password changes are a mixed bag, but did overwhelmingly lead to a stronger password. Google found that 60% of changed passwords are not vulnerable to guessing attacks, while the remainder are. And 94% of new passwords are at least stronger than the old one, even if a large chunk are still guessable.
Google researchers argue in the paper that its Chrome extension is superior to Have I Been Pwned and Firefox Monitor, and contend that services like these could be exploited by attackers.
"At present, these services make a variety of tradeoffs spanning user privacy, accuracy, and the risks involved with sharing ostensibly private account details through unauthenticated public channels," the researchers said.
One consequence of these tradeoffs is that users may receive inaccurate remediation advice due to false positives, they say.
"For example, both Firefox and LastPass check the breach status of usernames to encourage password resetting, but they lack context for whether the user's password was actually exposed for a specific site or whether it was previously reset," says Google.
"Equally problematic, other schemes implicitly trust breach-alerting services to properly handle plaintext usernames and passwords provided as part of a lookup. This makes breach alerting services a liability in the event they become compromised (or turn out to be adversarial)."
More on Google, Microsoft and passwords
- Google to Android users: No passwords, you get fingerprint login to some sites
- Microsoft now says Windows 10 passwords don't need to expire: Time for other companies to take note
- Windows 10: Microsoft's plan to kill passwords moves on with new test build
- Hate silly password rules? So does the guy who created them
- Windows 10 says Hello to no passwords with FIDO2 certification
- Google: We'll give you better malware protection in Chrome, but only if you sign in
- Microsoft adds new 'passwordless' sign-in option with latest Windows 10 20H1 test build
- No more passwords? Windows 10 1903 is close to that goal, claims Microsoft
- How to make your apps passwordless with Microsoft Authenticator and FIDO2 TechRepublic
- Google takes a step beyond passwords with Android authentication CNET