Study On Passwords Shows People Still Use Breached Passwords

August 28, 2019

Written by wukovits

Google recently released a large-scale password study that will probably give every IT manager in the country heartburn. The results of their study indicate that a disturbing percentage of users continue to use passwords after they’ve been warned that those passwords have been compromised.

One of the most common tactics hackers employ is called ‘password spraying.’  It’s a simple technique.  The hackers simply try several compromised passwords (even if they’ve been floating around the Dark Web for months) thinking that a surprising percentage will still work.  Google’s study confirms the hackers’ beliefs to be true.

Right now on the Dark Web, there are more than 4 billion passwords known to be compromised.  The scope and scale of the problem is staggering. Worse, the users who have compromised accounts are, as a rule, slow to do anything to mitigate the danger.  According to the results of the study, only 26.1 percent of users who saw an alert indicating a compromised password bothered to change it.  Barely one in four.

Even when users did bother to change their passwords, 60 percent of the time, the new password was found to be vulnerable to a simple guessing attack. Although in fairness, 94 percent of changed passwords wound up being stronger than the previous one.

To collect the information, Google relied on a newly offered Chrome extension called Password Checkup, which it claims is superior to Firefox’s Monitor and the “Have I Been Pwned” website.

The company contends that these other solutions could be exploited by hackers, summing it up as follows:

“At present, these services make a variety of tradeoffs spanning user privacy, accuracy, and the risks involved with sharing ostensibly private account details through unauthenticated public channels…For example, both Firefox and LastPass check the breach status of user names to encourage password resetting, but they lack context for whether the user’s password was actually exposed for a specific site, or whether it was previously reset.

Equally problematic, other schemes implicitly trust breach-alerting services to properly handle plaintext usernames and passwords provided as part of a lookup.  This makes breach alerting services a liability in the event they become compromised (or turn out to be adversarial).”

Used with permission from Article Aggregator

Bayou Tech

We provide solutions for your business. Find out how we can help.

Related Articles

New Graphene Technology May Increase Hard Drive Storage

HDDs are old, well understood technology. They haven't changed much in recent years. In fact, increasingly, people are writing them off, preferring SSDs for their greater speed and smaller size, even though HDDs are less expensive. The clever folks at the University...

Some Amazon Device Features May Have Security Risks

Have you heard of Amazon Sidewalk? If not, it's definitely something you should be aware of. Depending on your point of view, the new feature, which was enabled by default on a wide range of Amazon devices by default on June 8 of this year (2021) is either...

Email Unsubscribe Scam Can Easily Fool Any User

Scammers are increasingly relying on a tried and true bit of social engineering to fool unsuspecting users into unwittingly signing up to receive a flood of additional spam email. They accomplish this by blasting out an email asking recipients if they wish to...

Send us a message

Your message was sent.