Google: You're sticking with passwords that have already been hacked

Bad password habits are hard to change, says Google, with many users ignoring security-breach warnings.
Written by Liam Tung, Contributing Writer

Google has released the results of a large-scale study about password habits that shows why hackers use 'password-spraying' attacks on online accounts: many users stick with the same password, even when they're warned it's been compromised.  

Password spraying has emerged as an effective technique to brute-force or guess passwords, as well as to bypass systems that lock accounts after too many wrong guesses. 

The US government recently warned that Iranian hackers have been using the method to deploy destructive malware on systems, and hackers used it to gain a foothold in tech company Citrix and from there steal 6TB of information.

The technique involves gathering a huge number of account usernames and hitting logins with a small number of the worst passwords, on the assumption that some percentage of the target group will have used one of them. 

Microsoft's research found that the top five used in password-spraying attacks are '123456', 'password', '000000', '1qaz2wsx', and 'a123456'.  

Google's data on password habits comes from its study of every one of the 670,000 Chrome users who installed its Password Checkup extension

Google launched Password Checkup in February, drawing comparisons with the Firefox Monitor breach-alert service, which uses compromised credentials collected by Have I Been Pwned. 

The key difference is that at login, Google's Password Checkup warns users if the credentials they are using are among the four billion Google knows have been compromised. 

SEE: Can Russian hackers be stopped? Here's why it might take 20 years (TechRepublic cover story) | download the PDF version

Google found that 1.5% of over 21 billion login attempts rely on a breached credential, which were used on about 746,000 different domains.

The biggest category, in terms of logins using compromised credentials, is video streaming and porn sites where 3.6% to 6.3% used them. But it also found 0.2% in government, 0.3% in finance, 0.5% in email, 1.2% in shopping, and 1.9% in news. 

As for how users respond to password breach alerts, the study found mixed results. Google found that 25.7% of its alerts, totaling 81,368, did not trigger a password change from users. However, it also found that 26.1% of alerts, totaling 82,761, did result in a password change. 

The resulting password changes are a mixed bag, but did overwhelmingly lead to a stronger password. Google found that 60% of changed passwords are not vulnerable to guessing attacks, while the remainder are. And 94% of new passwords are at least stronger than the old one, even if a large chunk are still guessable. 

Google researchers argue in the paper that its Chrome extension is superior to Have I Been Pwned and Firefox Monitor, and contend that services like these could be exploited by attackers. 

"At present, these services make a variety of tradeoffs spanning user privacy, accuracy, and the risks involved with sharing ostensibly private account details through unauthenticated public channels," the researchers said. 

One consequence of these tradeoffs is that users may receive inaccurate remediation advice due to false positives, they say. 

"For example, both Firefox and LastPass check the breach status of usernames to encourage password resetting, but they lack context for whether the user's password was actually exposed for a specific site or whether it was previously reset," says Google.

"Equally problematic, other schemes implicitly trust breach-alerting services to properly handle plaintext usernames and passwords provided as part of a lookup. This makes breach alerting services a liability in the event they become compromised (or turn out to be adversarial)."

More on Google, Microsoft and passwords

Editorial standards