Serg Nvns - Fotolia
A study based on measuring Google Chrome users has estimated that 1.5% of web site logins are vulnerable because user credentials have been breached.
The Protecting accounts from credential stuffing with password breach alerting study from Google found that many people are using compromised login credentials. The study used data collected from 670,000 users from around the world who installed an extension to the Chrome browser, which checked whether their login details had been compromised.
“Anonymous telemetry reported by our extension reveals that users reused breached credentials on more than 746,000 distinct domains. The risk of hijacking was highest for video streaming and adult sites, where between 3.6% and 6.3% of logins relied on breached credentials,” the report’s authors, Jennifer Pullman, Kurt Thomas, and Elie Bursztein,warned.
The Chrome plug-in reported that popular sites with 10,000-plus logins experienced far less occurrences of users logging in with breached credentials than sites with few logins. The researchers said: “We believe this gap in security results from larger security investments on the part of popular domains towards proactively resetting passwords and helping users avoid ‘weak’ passwords.”
In the study, Google noted that people generally using simple text-based password, which often can be easily broken. In the report, Google proposes a privacy preserving protocol that allows a client to query whether their login credentials were exposed in a breach, without revealing the information queried. The service Google developed to support its browser plug-in ran on the Google Cloud.
“Based on our query volume per user, operating our service for an estimated 500,000 users would cost $85,500 a year. Caching the status of negative breach verdicts would substantially reduce expenses. Our goal in documenting these details is to provide other members of the community a benchmark for the costs of any improved privacy scheme,” the report’s authors stated.