A quarter of users don't change their passwords, even if they are told that the password they're using for an account has been compromised, according to a Google study.
Google has released the results of its study into password behavior derived from data it collected from 670,000 users who’d installed its Chrome extension, Password Checkup, and logged into websites 21 million times.
Google launched the Password Checkup Chrome extension last February, offering a different take on popular services like Haveibeenpwned, which users can check to see if their credentials were exposed in a password database breach.
Password Checkup on Chrome may intervene when users sign in to a site if the username and password used matches one of roughly 4 billion credentials that Google has collected from publicly known password breaches.
Google has now revealed in a study some alarming yet not surprising statistics about how users approach passwords.
First, lots of people continue logging into sites using breached credentials.
Around 1.5% or 316,531 of the 21 billion logins were done using credentials in Google’s trove of known compromised credentials. Google believes this percentage would be higher given that it’s likely those who are security conscious would have installed its Chrome extension.
But second, and more important, was that or 25.7%, or 81,368 users of the extension continued to login with compromised credentials even after Google’s extension warned them of the fact.
These accounts are vulnerable to so-called password spraying attacks, where a small set of the most popular (and often worst) passwords are tested against a large number of accounts. Password spraying is a type of brute force or password guessing attack currently targeting Australian organisations.
However, Google researchers argue users could be ignoring warnings because they were using a throw-away account, a non-primary user was logging into a shared account, or that the site had unhelpful password-reset processes.
On the upside, 26.1% or 82,761 users created new passwords after receiving an alert and, those that did tended to pick a stronger password than the one received an alert about.
While the study suggests that just as many people would respond to a password alert is fifty-fifty, that a significant proportion do indicates that these types of alerts do have a positive impact.
According to Google, 60% of new passwords were resilient to password spray attacks, which would take over 100 million guesses to crack, and 96% were stronger than the original password. Still, around 40% were “somewhat guessable” or worse.