Following up on the release of its Password Checkup extension for Chrome, Google reports there’s some good news and some bad.
The good news is that, since its launch, over 650,000 people have used Password Checkup, allowing Google to scan 21 million usernames and passwords. The bad news is twofold: a) 316,000 -- or approximately 1.5 percent -- of web users are still using log-in credentials that Google considers “unsafe;” and b) users ignored 25.7 percent (or 81,368) or all warnings sent their way.
Google’s report was released last week at the USENIX Security Symposium in Santa Clara, California.
“Our research shows that users opt to reset 26 percent of the unsafe passwords flagged by the Password Checkup extension,” the company said. “Even better, 60 percent of new passwords are secure against guessing attacks -- meaning it would take an attacker over a hundred million guesses before identifying the new password.”
Recklessly reusing passwords
Data breaches have become an almost everyday occurrence. And it’s a safe bet that many web surfers use the same usernames and passwords on several accounts. Hackers are betting on that and trying out every credential they have on a person to try and crack their way in.
“Based on anonymous telemetry reported by the Password Checkup extension, we found that users reused breached, unsafe credentials for some of their most sensitive financial, government, and email accounts,” Google stated.
“This risk was even more prevalent on shopping sites (where users may save credit card details), news, and entertainment sites. In fact, outside the most popular web sites, users are 2.5X more likely to reuse vulnerable passwords, putting their account at risk of hijacking.”
Improving your protection is important
In ConsumerAffairs recent story about the 23 million-deep CafePress hack, HaveIBeenPwned’s Troy Hunt reminded consumers that guarding personal data with a variety of log-ins is much easier these days thanks to password management apps and sites.
Google’s Password Checkup is a definite move in that direction, too -- even going as far as making itself more available to the end-user via a “quick comment box” where users can report any issues they’re experiencing.
For those who are more concerned about Big Brother looking over their shoulder, Google is also handing back some of the keys to the user, including a way to opt-out of Password Checkup’s “anonymous telemetry.”.
“By design, the Password Checkup extension ensures that Google never learns your username or password, regardless of whether you enable telemetry, but we still want to provide this option if users would prefer not to share this information,” the company said.