If you were told that the password you had just entered was known to have been compromised in a data breach, what would you do?
Presumably, the answer is ‘change it immediately’. And yet, according to Google, only one in four users of its Password Checkup Chrome extension decided to do just that when told the same bad news.
Introduced in February, Password Checkup compares a hashed version of every user password entered against a database of four billion that Google knows to have been compromised in breaches.
If it notices a match for a password and username combination, the user can either continue to log in (i.e. ignore it but be warned the next time), log in and change it, or ignore the warning by clicking ‘close’.
Doing the password comparison securely is more technically complicated than it sounds but suffice to say Google went to some lengths to solve the problem.
What it hasn’t yet managed to solve is the bigger problem of user apathy.
The most surprising part of Google’s finding is that these users were among the 650,000 who were motivated enough about security to download the tool in the first place.
In month one alone, Google says it scanned 21 million usernames and passwords, flagging 316,000 or 1.5% as having been part of a breach (a stat that excludes trivial passwords such as ‘12345’, which the tool doesn’t warn against to avoid overstating the obvious).
There is some good news – 60% of those who changed their potentially compromised passwords chose ones that would be hard to guess.
Password reuse
The question is why a significant number of people among the early adopters of a password advice tool choose to ignore its warnings.
The answer seems to be that even relatively cautious users hugely underestimate the danger of password re-use.
There is no doubt that a lot of people still re-use passwords despite being warned not to, but it seems they re-use some more than others.
Google found that people are less likely to re-use passwords across well-known sites, such as government and finance (0.2% and 0.3% reuse respectively), and email (0.5%).
By the time you get to shopping (1.2%), news (1.9%) and entertainment (6.3%), things start to deteriorate.
Unfortunately, from the attacker’s point of view, this matters not. Once criminals have access to a reused password (specifically, weak ones), the power of credential stuffing means that the clock is ticking on another site somewhere.
Beyond simply abolishing passwords altogether as a form of authentication, the brave answer might be for tools such as Password Checkup (and Firefox’s equivalent-but-not-identical, Firefox Monitor) to start nagging users more assertively.
It’s unlikely that browser makers have the stomach for this yet but if it comes to pass, the pestering could push more users to better alternatives such as password managers and two-factor authentication.
Mark
Is this checking the password in combination with the user name? Or just the password to see if anyone anywhere ever used it? I get not reusing passwords with the same username. But if some random person happened to use a password with a user name not in any way associated with my username, why should I care?
Bruce
Because those passwords are part of giant file that hackers are using to brute force accounts.
Don Miller
Many programs only allow for three or four error password tries,! How is it possible to brute-force this type of log-on?
Wilderness
It’s because they use botnets to try millions of different accounts at once instead of hammering away at just one account. Since each account is hit only a couple times, they don’t get locked.
John E Dunn
It relates to the individual so it’s a combination of the two.
(A password match alone would strongly indicate that a weak or guessable password had been used. There are online checkers which can spot these.)
Dominic Greisely
The problem with using any password that is already known is that it will appear in the “dictionary” used during brute force attacks. In other words, it’s bound to be one of the passwords they’ll try to use when attempting to log into your bank account, whether you’ve used it anywhere else or not.
Ulysses
Most people are just downright stubborn. They usually ignore warnings and blame Google for the hack when they’ve already been warn. People are going to freak out once 2FA becomes a standard.
Dominic Greisely
We’re moving away from two factor and into password-less authentication. Waze already does this. You don’t use a password to log in, you use the code they send to you via SMS text message. Other ways will be via specialized devices that generate the code based on a time algorithm, etc.
Anna M
When I ignore it, it’s because it’s an account that has no link to any personal information (like a comic reading app that literally just saves the page I’m on) or it’s a website that lets me login using my Google account, so… there’s no password for me to change.
Anonymous
It is inconvenient and annoying to have all these security rules. People who advocate “2FA. are not popular.
connected chris
if it were me using the google browser tool and it informed me that one or more of my passwords had been compromised, i would click the ignore option and then login to the site from a browser (NOT using the chrome password tool) and change my password from there instead.
i wonder how many of the 40% of users google reports didnt change their password through their browser extension actually changed their password the way i would have ? (which by the way would be the correct method since it would lessen the risk)
Spryte
It is my understanding that the chrome (Chromium) automated login “feature” will only remember the first password entered. If you change a password on a a site and try to login with that “feature” enabled it will still use your first password to try and log onto the site. (so I have been told)
nenesees
this is correct, I have changed my passwords via the websites needing to be changed. Google Chrome the next time I went to log in tried to auto fill my old user name and password. This will continue to happen, unless you either (a) delete old password from chrome (b) delete old and save new. Also; if you auto sync your phone across platforms; now I am not positive on this; but you will probably have to go to the other devices go into chrome and delete these old passwords here too. Unfortunately, do not believe there is any other way to accomplish this task.
John E Dunn
Presumably you mean using a browser other than Chrome. I’m not sure how this would make the process of changing a password more secure though.
Matt Parkes
Apologies I am being a little slow on the uptake, but how is resetting your password from a different browser more secure than doing so through Chrome? If you are suspicious of Google then if its a google account you are resetting it wouldn’t matter if you believe Google know your passwords anyway, if some other non google account then maybe but I am sure despite privacy concerns i cannot believe that Google want to capture your password in clear text for themselves.
epic_null
Is it also possible that the extension doesn’t differentiate between high and low value sites? Sometimes if I need to log on with my phone (which is not connected to a password manager) , I will reuse an old, likely breached password if I haven’t decided to commit to the service yet. It’s not until I decide to commit that I select a harder to enter or remember password.
Alen
The problem is that many people think this way and end up forgetting to change that password later. Then they get mad when the account gets taken over. It’s best to give every account a strong password and let a password manager deal with it.
Paul Ducklin
The password “changeme” frequently show up near in those lists of “the top N worst passwords”…
Anonymous
John F Dunn,
The closing of your article is alarming!
DO not recommend 2FA, because of the following WELL KNOWN REASONS:
a. Super easy to trick user with an identical page requiring 2FA yet, misspelling just one character in the domain name
b. Phone numbers are too easy to spoof.
Finally, the recommendation of password managers that rely on primitive verification methods, all of them, is serious.
The reliance on centralized systems has been the demise of societies at large.
Before you write articles, please educate further and test your knowledge.
Walter Moss
PS: Let’s see if you caught it.
Paul Ducklin
You seem to be suggesting that password managers are useless (or worse) because they *all* rely on primitive verification methods. I simply don’t think that’s correct. And if it’s a choice between your browser’s password manager and putting your cat’s name in every time, then you might as well pick the lesser of two evils anyway.
I agree that many 2FA systems can be phished in parallel with your username and password, for example if all you need to do is put in a code that’s generated offline by your phone. But my opinion is is that username+password+2FA of that sort is, ipso facto, no worse than username+passsword alone, so you might as well use it. After all, your password can get stolen by many other routes, and is valid to the crook indefinitely, whereas a 2FA code is valid once.
I have heard of numerous cases where plaintext or recoverable passwords have been breached from a service provider, but only know of one case where 2FA token seeds were breached – and that was from RSA, no less, but those seeds weren’t breached along with any passwords. in other words, your password may be recovered by crooks *without any phishing needed*, but if that sort of password crack almost certainly won’t also give the crooks the ability to clone your 2FA code sequence…
…so you win.
As long as your own liability isn’t increased by adopting 2FA (e.g. by a sleazy service provider who insists in thes mall print that once 2FA is turned on, you take on more potential blame in the case of a breach) I can’t see how it can make things worse – especially as an increasing number of 2FA interaction are much harder to ‘man-in-the-middle’. For example, I use a phone-message-based 2FA service for one of my accounts in which the “approve the transaction” message I get shows me the IP number that initiated the login attempt. If I were being phished via a fake login page, the subterfuge would immediately be uncovered by the 2FA message, because it would show that my own browser, where I already put in username+password, was not in fact where the login started. (Sure, I might forget to check the IP number. I could also forget to lock my bicycle up when I go into town… but I don’t.)
John E Dunn
You’re right that some 2FA systems can be spoofed although the incidence of this is still low relative to their use. As for the most secure types – hardware tokens – these are extremely secure. It’s incorrect to lump all 2FA systems into the same in terms of their risk.
As for password managers, while the data is backed up to the cloud, the keys used to decrypt it never leave the user’s computer (or token, in the case of a FIDO key). Feel free to explain why this is less secure than using no password manager at all but I take some convincing!
Walter Moss
John F Dunn,
The closing of your article is alarming!
DO not recommend 2FA, because of the following WELL KNOWN REASONS:
a. Super easy to trick user with an identical page requiring 2FA yet, misspelling just one character in the domain name
b. Phone numbers are too easy to spoof.
Finally, the recommendation of password managers that rely on primitive verification methods, all of them, is serious.
The reliance on centralized systems has been the demise of societies at large.
Before you write articles, please educate further and test your knowledge.
Walter Moss
PS: Let’s see if you caught it.
Gabriel
I do know that that report is most likely flawed. I have received that warning on that extension, gone on into the site, changed my password, to which all of my passwords are unique for each site, and the next day the same message came back up saying the same thing, to change my password because that site was part of a breach.
Eric J Malloy
Same thing has happened to me. I changed a password to a new unique password and 7 minutes later was told the password was compromised 7 minutes ago.
fogest1
I have clicked ignore on it countless times. Only one time has it triggered on a place where I wanted the warning. All the other times I ignored it, it was because I was developing on a local websites and it loves to tell me how my 123 password isn’t secure. It’s like Goooooooogle I know, the sites not even accessible to the web.
So I wonder if people like me are contributing to that 1 in 4 stat, because right now I bet it’s a lot of more tech savvy people using it. I’m hitting “ignore this site” not because I don’t care, but because I don’t care about it to run on my local sites.
John E Dunn
As I understand it, it is designed not to warn you about trivial passwords to avoid alert overload and shouldn’t trigger on an internal address. Baffled by that one.
NOPIAN MASYHURI
What it hasn’t yet managed to solve is the bigger problem of user apathy
DaveP
it is not apathy that we ignored that warning. First, i never downloaded an extension to check such things. second, it looks to be a hack itself. SURE, you have been compromised and you need to open your passwords and check them NOW.. what idiot would do that? maybe it’s not apathy or just common sense? According to your logic, i should go through my spam msg’s and believe all those phishing scams too?
Mati
Please Google and stop warning me about my password. I don’t want to change it. It is good as it is.
Sgordon777
Nope, not apathy, more likely confusion and suspicion of some popup telling them all their passwords are comprised, and to go change them all. This sure as hell was my first thought when seeing this…(Nobody bothered to tell me about this new service from Google)
limdog
Me too. I thought it might be a scam too which is why I searched to find this article in the first place.
Aurora Brown
I know for me personally, it’s not apathy, it’s being overwhelmed. Let’s say I have a hundred accounts on various websites (and that’s probably a conservative estimate as essentially every website you go on wants you to create an account). Now recently I’ve started getting the notification regarding passwords impacted by this data breach… it would literally take me an entire day or more to go through my list of passwords and change every single one of them. So again, my reaction is not one of apathy, but one of ‘who tf has time for this?!’
Ralph Dratman
Exactly my situation. I have about 100 passwords flagged. I go through and find the important accounts and change those passwords. I ignore the rest of the warnings. I am a very technical user, and would be glad to have those passwords changed, but I am not going to spend hours of my life doing it.
amicipat
This is very scary for me as an elderly disabled person, even McAfee is showing as compromised, so, not having the abilities of most of your posters, (no disrespect intended), I feel I have no alternative than to disconnect from the net altogether. However, this itself will provide more problems in that ‘life’ today does not allow us non-users a way to easily run our everyday life, but in reality, your comments above seem to state we are moving forward, when in fact, we are going back to the dark ages surely,
I am well aware that technology in general knows that we uneducated elder citizens only have a very few years left to be on earth so are not to be seriously considered, but there will always be ‘the less educated’ amongst society, not to mention those who cannot afford to be computer literate, but they too, are, it seems, not to be considered.
I have, after, writing this, disconnected all my ‘gadget’ that were supposed to assist me in my day to day life, and will sit here and wait for life to come to me!
Ralph
Loved the previous comment
From another senior,
Stupid question: does Google know all my passwords and usernames unencrypted and therefore this information is available to be hacked?
I apologize I have not thoroughly reviewed the previous comments
Paul Ducklin
The deal with a breached password is that if you used the same password on site Y as you did on site X, and your password from site X gets leaked publicly, then *everyone in the world*, including Google, knows what your password is on site Y.
So never reuse passwords, and change passwords if you know they have been breached!
Ravi Menon
This is really annoying because there is no provision to include/exclude websites. The d**n browser warns me every time I log into my internal server at home with an intentionally weak password and a “localhost” like IP address that no one from the internet can never get into!!!
Paul Ducklin
Why have a password at all if you are going to set it to a weak one? Just set a proper password and that way you don’t need to worry whether your claim that “no one can ever get at it” is true or not. (Remember that a dodgy website you visit on the outside can link to URLs on your local network and could therefore have a guess that way.)
zgoda
How do I turn this off for localhost, or a local subnet?
Turns out you can’t, it’s either globally on or globally off. Seeing this on any request to localhost:3000/login is insane so for me it’s off.
Paul Ducklin
Try setting proper passwords for *all* your login pages, even unimportant ones. You will not regret it. If an account is unimporant enough to allow bad passwords, don’t use a password at all.
Peter Verco
This is all misleading. Loads of people on other sites report changing their passwords, but the warning still appears. Same for me. So basically, it’s either fake, or malware.
Mike Qtips
I think the fact that Chrome repeatedly scares you with warnings about compromised passwords, but then won’t tell you what passwords were compromised and in fact tells you, when you ask to see them, that you don’t have any passwords saved at all, is a big part of the reason why nobody changes them.
The only change I’m contemplating making as a result of this annoying, useless nuisance feature is stopping using chrome so I can get on with using the internet without being constantly interrupted by frequent fearmongering ake notifications that don’t actually tell me anything that would let me actually fix the problem, if the problem even really exists, which it seems like it doesn’t, because I don’t even have any passwords saved.
DeathGateMinion
Maybe the reason so many people don’t bother to change them is because when they do, Chrome still says the passwords have been compromised and then you have to manually enter all of the usernames and passwords every time you visit the sites because Chrome won’t put them in automatically any more. Even when that message goes away, you still have to enter the info manually after that as it does not offer to save the new password. If they are going to force such an imposing feature on people then they should make sure it works. I switched to another browser rather than put up with this nonsense.
Peter Kionga-Kamau
Why would I change them? I intentionally set up easy to remember passwords on sites that I don’t care about or mainly) temporary resources that I am testing – it is not even remotely important to me to secure these passwords. This is just annoying noise slowing down my work.
Paul Ducklin
So you’re OK with accounts that are in your name legally (or at least that belong to you in a moral sense)…
…that crooks can use for whatever they want and point the finger at you? Maybe you don’t care but perhaps the rest of us, who stand to be affected, do…
Dave
I have used the same password(s) on numerous occasions because darn near every website wants you to register for even the smallest things. I simply do not care if my password to a forum I am a member of or a YouTube to MP3 converter site is compromised. I use caution22 or a minor variation of that for a lot of sites where I know I’ll never be leaving personal information behind. I believe that’s where this “apathy” stems from.
I have a password protected spreadsheet with about 100 login in credentials for the sites where I MIGHT need to leave personal info behind, but what is the point for an audio forum or the like? Someone might get on there and post as me? Have at er.
Paul Ducklin
As minor as it seems, they *will* be posting as you, and for as long as you don’t notice, anything disreputable (or legally actionable, or whatever) is sitting there under your name. Why take the risk? Use a password manager and you get the best of both worlds – passwords remembered easily; a different password for every site.
R
The massive number of false positives will have something to do with it.
I have various local dev sites or obscure sites where a breech is impossible or extremely improbable.
Yet I keep getting warnings for them.
Hence unless they are important sites and passwords, I leave em.
Kyle
For any site that has access to any kind of payment information, I keep those accounts secure always by using unique passwords.
But for most of the sites that I’ve saved passwords for, the account contains no sensitive information at all. Yet Google expects me to spend days changing hundreds of compromised passwords by hand.
Is it really important to have a secure password when no one could possibly do any damage by logging into my account? Can anyone explain why?
Paul Ducklin
If an account thinks it is important enough to need a password, then why not simply use a password manager and pick a decent one? Because anything done with an account tied to you… is tied to you, even if you created the account in a made-up name. Your life, your reputation, your influence on others in your community – all these are actually significant.
Whether it’s your “unimportant” account on a news site being abused to post racist comments, or your “unimportant” mailing list account being used to pitch investment scams to other people in your immediate community, or your “unimportant” social media account being used to sell followers…
…why let any of that “unimportant” stuff happen when a simple precaution could make it all so much less likely?
RandomDude
I also think that this feature is inherently broken.
Chrome keeps shouting that my icloud password is compromised, but I’ve changed it by Chrome’s advice months ago.
Same is happening for all sites whose passwords I already changed- more than 10.
I was hoping to clear this “compromised passwords” tab, but it never gets refreshed properly!
No wonder that the collected stats are broken as well!
Brian
As a person in the Information Technologies business, I have contracted for several companies over the past 31 years. Many decades ago, I learned how lax people are in a working environment about changing passwords. As the LAN Admin for a GM production plant, I was never surprised to see people with a sticky note on the monitor and it was clearly their login password. I have told people in the past to make up 2 or 3 random short words;
Red Ball Cat, next replace the vowels with 4, 3, 1, 0, 9 for A, E, I, O, U the password for the next 30 days would be R3B4LLC4T. But they didn’t, had one woman in Customer Service just change the last 2 numbers for the month. Example; NANCY01, NANCY02, NANCY03, …. NANCY10, NANCY11, NANCY12. They never understood that hackers (real hackers) will pose as workers and walk boldly into your office and look for post it notes. They do this to lay claim to fame they hacked a big corporation.
I don’t know how Google checks this but Google can “warn” these fools all they want, I know from experience, they won’t listen.
Change the passwords that matter every 30 days. Don’t save your password in the browser. If you really need a memory aide, write a poem and keep it in your desk. All you need in your crap poem is a line about the red ball cat would play with every day. The unlikely hacker, who breaks in your home, and reads it will not put it together.
William Ayers
These dimwits have never heard the story of “The Boy Who Cried Wolf”.
Lise Legault
I am *trying* to change my supposedly compromised passwords, and in fact have tried to do so several times. But my Chromebook keeps telling me when I go in to password management that the *new* password I’m trying to enter is “invalid”. I also find that it won’t let me look at my existing passwords – with the stars replaced by the actual numbers – without entering them. This defeats what I thought was one of the purposes of having pw management, i.e. in case you forget a password. It’s also hard to change a compromised pw if you don’t know what it is.
Mike L
I keep getting this for the answer to a security question. This is not a password, this is less secure. They have to first guess my password, which is not in a data breach, then use the answer to the security question, one of three of which is in a breach. I feel like this case is not a concern.