Google recently released a large-scale password study that will probably give every IT manager in the country heartburn. The results of their study indicate that a disturbing percentage of users continue to use passwords after they’ve been warned that those passwords have been compromised.
One of the most common tactics hackers employ is called ‘password spraying.’ It’s a simple technique. The hackers simply try several compromised passwords (even if they’ve been floating around the Dark Web for months) thinking that a surprising percentage will still work. Google’s study confirms the hackers’ beliefs to be true.
Right now on the Dark Web, there are more than 4 billion passwords known to be compromised. The scope and scale of the problem is staggering. Worse, the users who have compromised accounts are, as a rule, slow to do anything to mitigate the danger. According to the results of the study, only 26.1 percent of users who saw an alert indicating a compromised password bothered to change it. Barely one in four.
Even when users did bother to change their passwords, 60 percent of the time, the new password was found to be vulnerable to a simple guessing attack. Although in fairness, 94 percent of changed passwords wound up being stronger than the previous one.
To collect the information, Google relied on a newly offered Chrome extension called Password Checkup, which it claims is superior to Firefox’s Monitor and the “Have I Been Pwned” website.
The company contends that these other solutions could be exploited by hackers, summing it up as follows:
“At present, these services make a variety of tradeoffs spanning user privacy, accuracy, and the risks involved with sharing ostensibly private account details through unauthenticated public channels…For example, both Firefox and LastPass check the breach status of user names to encourage password resetting, but they lack context for whether the user’s password was actually exposed for a specific site, or whether it was previously reset.
Equally problematic, other schemes implicitly trust breach-alerting services to properly handle plaintext usernames and passwords provided as part of a lookup. This makes breach alerting services a liability in the event they become compromised (or turn out to be adversarial).”