Serg Nvns - Fotolia

Google finds that web users log in with compromised credentials

People continue to use passwords that have been breached. Google has proposed a protocol, which could warn them if their credentials have been stolen

A study based on measuring Google Chrome users has estimated that 1.5% of web site logins are vulnerable because user credentials have been breached.

The Protecting accounts from credential stuffing with password breach alerting study from Google found that many people are using compromised login credentials. The study used data collected from 670,000 users from around the world who installed an extension to the Chrome browser, which checked whether their login details had been compromised.

“Anonymous telemetry reported by our extension reveals that users reused breached credentials on more than 746,000 distinct domains. The risk of hijacking was highest for video streaming and adult sites, where between 3.6% and 6.3% of logins relied on breached credentials,” the report’s authors, Jennifer Pullman, Kurt Thomas, and Elie Bursztein,warned.

The Chrome plug-in reported that popular sites with 10,000-plus logins experienced far less occurrences of users logging in with breached credentials than sites with few logins. The researchers said: “We believe this gap in security results from larger security investments on the part of popular domains towards proactively resetting passwords and helping users avoid ‘weak’ passwords.”

In the study, Google noted that people generally using simple text-based password, which often can be easily broken. In the report, Google proposes a privacy preserving protocol that allows a client to query whether their login credentials were exposed in a breach, without revealing the information queried. The service Google developed to support its browser plug-in ran on the Google Cloud.

“Based on our query volume per user, operating our service for an estimated 500,000 users would cost $85,500 a year. Caching the status of negative breach verdicts would substantially reduce expenses. Our goal in documenting these details is to provide other members of the community a benchmark for the costs of any improved privacy scheme,” the report’s authors stated.

Read more about identity management

  • For most people, emails are an easy and harmless way to communicate in the workplace, but they could also be a security disaster waiting to happen.
  • Facebook promised its users privacy then quietly abandoned its promises in pursuit of profits. Now it faces antitrust regulation.

Read more on Endpoint security

Data Center
Data Management