It's official: 1.5% of web logins use breached credentials, according to research published by Google. The company analyzed its own data to reach that number, which it presented at the USENIX conference this week.
Many websites still rely on only a combination of username and password to grant users access. Large data breaches have leaked billions of these credentials online, and they have been documented in databases like cybersecurity researcher Troy Hunt's Have I Been Pwned. People who reuse their email and password combinations across different sites are therefore vulnerable to credential-stuffing attacks, in which cyber-criminals attempt to access multiple websites using their stolen credentials.
In February, Google published an extension to the Chrome browser called Password Checkup. When a user enters credentials into a website, Google checks them against a database of over four billion breached usernames and passwords, warning the user if those credentials have been stolen and published in the public domain.
In the first month of operation, almost 670,000 people participated in the service, logging in 21 million times. Of those logins, 1.5% involved breached credentials, the research found.
People reused breached credentials on over 746,000 distinct domains, Google said. Video streaming and adult websites were most at risk of hijacking. Up to 6.3% of logins at those sites relied on breached credentials. Comparatively, only 0.3% of logins involved breached passwords at financial sites, and only 0.2% at government sites, the company said in a blog post yesterday. This could be because those sites had stricter password requirements, said the report. You probably couldn't use your dog's name as a password on many government sites, unless your dog's name happened to be "hs#s8d77sD^a," it said.
The research found that users took steps to reset one in four (86%) of unsafe passwords flagged by the Password Checkup extension. Of the new passwords, 94% were as strong or stronger than the originals, and an encouraging 60% were strong enough to be secure against brute-force dictionary attacks, in which it would take an attacker over 100 million guesses to identify the new password.