If you were told that the password you had just entered was known to have been compromised in a data breach, what would you do?
Presumably, the answer is ‘change it immediately’. And yet, according to Google, only one in four users of its Password Checkup Chrome extension decided to do just that when told the same bad news.
Introduced in February, Password Checkup compares a hashed version of every user password entered against a database of four billion that Google knows to have been compromised in breaches.
If it notices a match for a password and username combination, the user can either continue to log in (i.e. ignore it but be warned the next time), log in and change it, or ignore the warning by clicking ‘close’.
Doing the password comparison securely is more technically complicated than it sounds but suffice to say Google went to some lengths to solve the problem.
What it hasn’t yet managed to solve is the bigger problem of user apathy.
The most surprising part of Google’s finding is that these users were among the 650,000 who were motivated enough about security to download the tool in the first place.
In month one alone, Google says it scanned 21 million usernames and passwords, flagging 316,000 or 1.5% as having been part of a breach (a stat that excludes trivial passwords such as ‘12345’, which the tool doesn’t warn against to avoid overstating the obvious).
There is some good news – 60% of those who changed their potentially compromised passwords chose ones that would be hard to guess.
Password reuse
The question is why a significant number of people among the early adopters of a password advice tool choose to ignore its warnings.
The answer seems to be that even relatively cautious users hugely underestimate the danger of password re-use.
There is no doubt that a lot of people still re-use passwords despite being warned not to, but it seems they re-use some more than others.
Google found that people are less likely to re-use passwords across well-known sites, such as government and finance (0.2% and 0.3% reuse respectively), and email (0.5%).
By the time you get to shopping (1.2%), news (1.9%) and entertainment (6.3%), things start to deteriorate.
Unfortunately, from the attacker’s point of view, this matters not. Once criminals have access to a reused password (specifically, weak ones), the power of credential stuffing means that the clock is ticking on another site somewhere.
Beyond simply abolishing passwords altogether as a form of authentication, the brave answer might be for tools such as Password Checkup (and Firefox’s equivalent-but-not-identical, Firefox Monitor) to start nagging users more assertively.
It’s unlikely that browser makers have the stomach for this yet but if it comes to pass, the pestering could push more users to better alternatives such as password managers and two-factor authentication.