Chrome add-on warns netizens when they use a leaked password. Sometimes, they even bother to change it

Alerted to exposed credentials, users do something about it roughly a quarter of the time

Between February and March this year, after Google released a Chrome extension called Password Checkup to check whether people's username and password combinations had been stolen and leaked from website databases, computer scientists at the biz and Stanford University gathered anonymous telemetry from 670,000 people who installed the add-on.

On Friday, the boffins – Kurt Thomas, Jennifer Pullman, Kevin Yeo, Ananth Raghunathan, Patrick Gage Kelley, Luca Invernizzi, Borbala Benko, Tadek Pietraszek, and Sarvar Patel, and Elie Bursztein from Google, with Dan Boneh from Stanford – presented a paper describing the results of their data gathering at the USENIX Security conference.

The paper [PDF], titled "Protecting accounts from credential stuffing with password breach alerting," reveals that about 1.5 per cent of logins on the web involves credentials that have been exposed online.

"During this measurement window, we detected that 1.5 per cent of over 21 million logins were vulnerable due to relying on a breached credential – or one warning for every two users," the paper says, noting that the figure is significantly less than a 2017 study where the rate was 6.9 per cent.

For the 28 day period, 316,531 logins involved leaked credentials. Warnings sent to users were then ignored about a quarter of the time (26 per cent); these notifications also resulted in password resets about 26 per cent of the time.

The researchers suggest three potential explanations: that users may not believe the risk is worth the effort of adopting a new password; that users may not be in full control of the account (eg. a shared household account); or that there's insufficient guidance about how to reset a password.


What should password managers not do? Leak your passwords? What a great idea, LastPass


Despite the fact their security advice may be ignored, they conclude, "Our results highlight how surfacing actionable security information can help mitigate the risk of account hijacking."

The risk, to which the title of the paper alludes, is credential stuffing, which involves gathering easily obtained sets of exposed credentials – usernames and passwords harvested from specific websites – and crafting code that attempts to use those credentials on a massive number of other websites, in the hope of finding login details that have been reused.

Credential stuffing attacks have become popular because there are so many compromised accounts available in online databases – 25 billion username and password pairs, according to internet plumbing giant Akamai.

The biz earlier this year said in its report on the subject said there were hundreds of millions of credential stuffing attacks carried out every day in 2018, with a three-day peak of 250 million brute force login attempts.

The eggheads from Google and Stanford found that users of the Password Checkup extension reused hacked credentials across more than 746,000 domains. "The risk of hijacking was highest for video streaming and adult sites, where 3.6–6.3 per cent of logins relied on breached credentials," their paper says.

Google appears to be convinced that having Chrome check for leaked passwords would benefit everyone using the browser. A Chromium bug report suggests the capability will be built into a future update. ®

Broader topics

Other stories you might like

  • Google, EFF back Cloudflare in row over pirate streams
    Ban akin to 'ordering a telephone company to prevent a person from having conversations' over its lines

    Google, EFF, and the Computer and Communications Industry Association (CCIA) have filed court documents supporting Cloudflare after it was sued for refusing to block a streaming site.

    Earlier this year, a handful of Israel-based media companies took to court, accusing it of streaming TV and movie content it had no right to distribute. The corporations — United King Film Distribution, D.B.S. Satellite Services, HOT Communication Systems, Charlton, Reshet Media and Keshet Broadcasting — won the lawsuit after's creators failed to show up to their hearings, and the judge ordered, and each pay $7,650,000 in damages. 

    In a more surprising move, however, the media outfits also won an injunction [PDF] in the United States in April against a slew of internet companies, among others, banning them from aiding in its piracy.

    Continue reading
  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • RubyGems polishes security practices with multi-factor authentication push
    Faced with rising software supply-chain attacks, package registries are locking things down

    Slowly but surely, software package registries are adopting multi-factor authentication (MFA) to reduce the risk of hijacked accounts, a source of potential software supply chain attacks.

    This week, RubyGems, the package registry serving the Ruby development community, said it has begun showing warnings through its command line tool to those maintainers of the hundred most popular RubyGems packages who have failed to adopt MFA.

    "Account takeovers are the second most common attack on software supply chains," explained Betty Li, a member of the Ruby community and senior front end developer at Shopify, in a blog post. "The countermeasure against this type of attack is simple: enabling MFA. Doing so can prevent 99.9 percent of account takeover attacks."

    Continue reading
  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading

Biting the hand that feeds IT © 1998–2022