back to article Chrome add-on warns netizens when they use a leaked password. Sometimes, they even bother to change it

Between February and March this year, after Google released a Chrome extension called Password Checkup to check whether people's username and password combinations had been stolen and leaked from website databases, computer scientists at the biz and Stanford University gathered anonymous telemetry from 670,000 people who …

  1. Anonymous Coward
    Anonymous Coward

    11 "boffins"

    ... to parse stats?

    1. Anonymous Coward
      Anonymous Coward

      Re: 11 "boffins"

      You clearly know how studies are designed and papers are written...

      1. Anonymous Coward
        Anonymous Coward

        Re: 11 "boffins"

        ...which is why I posted anonymously!

    2. Anonymous Coward
      Anonymous Coward

      Re: 11 "boffins"

      Well, all the other studies were peer reviewed by 10 boffins, but ours is very, very special because we got our journal to go up to 11.

    3. Muscleguy Silver badge

      Re: 11 "boffins"

      These days it is usual for papers to detail what each author added to the research. So why don't you look at the pdf and find out? The specialisms these days may astound you.

      Personally I'm published in Nature. I was doing 4 dimensional aberrant muscle anatomy in wholemount mouse embryos. Hence my monniker. I leave and breathe mouse muscle anatomy.

      1. Anonymous Coward
        Anonymous Coward

        Re: 11 "boffins"

        "I leave and breathe mouse muscle anatomy."

        I didn't realise the effects of Brexit on mice were being studied so closely...

    4. JCitizen Bronze badge
      Megaphone

      Re: 11 "boffins"

      Did it occur to them that it was the Chrome browser that compromised the passwords? You never let a browser remember your passwords, they are not secure in a browser storage "vault". I doubt the majority of web users know that.

  2. Phil Endecott

    > Warnings sent to users were then ignored about a quarter of the time (26 per cent);

    > these notifications also resulted in password resets about 26 per cent of the time.

    What happened the other 48% of the time?

    1. Ben Tasker Silver badge

      Looking (quickly) at the paper, it doesn't look like it's the Reg screwing up either... they've got a table in there:

      Extension users 667,716

      Logins analyzed 21,177,237

      Domains covered 746,853

      Breached credentials found 316,531

      Warnings ignored 81,368 (26%)

      Passwords reset 82,761 (26%)

      Reading the surrounding pages doesn't really explain anything additional relating to the left over balance either.

      1. Anonymous Coward
        Anonymous Coward

        They should have used "12 boffins"!

      2. Anonymous Coward
        Anonymous Coward

        The remaining 48% clicked on password reset, only to type in Password1 once again.

    2. Alumoi Silver badge

      They didn't give a flying f..., like any normal person will do.

      What I don't get it how they tricked that many suckers into installing the extension in the first place.

      1. Anonymous Coward
        Anonymous Coward

        Umm, if they don't give a toss, that comes under ignored.

        1. Baldrickk Silver badge

          Ignored is most likely "did not click on notification" or however its done.

          I guess the missing 48% looked at it, but took no further action.

      2. TeeCee Gold badge
        Facepalm

        Probably by telling them that it was a FREE!!111!! ativiruz scummr.

        1. Drew Scriver Silver badge

          Maybe they went around parking lots and dropped USB thumb drives that would auto-install the extension when inserted...

  3. Kevin McMurtrie Silver badge

    eg. a shared household account

    Or bogus accounts created to download a software patch.

  4. Notas Badoff

    Massive improvement in education! Oh, wait...

    "1.5 per cent of over 21 million logins were vulnerable ... the paper says, noting that the figure is significantly less than a 2017 study where the rate was 6.9 per cent."

    Ah, research papers. Everybody on board with *eleven* researchers named. Massive hole obvious in statistics (though perhaps mentioned in the actual paper?) because too close to subject?

    It was 1.5% instead of the expected >5% *because* these were the people who knew enough to be concerned about security and installed an extension to check up on themselves, yes? The studied population in no way reflects the general public.

    But then again the behaviour in reaction to notifications does sound quite 'normal'. Lack of round tuits in view.

    BTW: did the paper mention anonymisation in conducting the study?

  5. Anonymous Coward
    Anonymous Coward

    I'm using credentials I know have been stolen

    They are my standard "insecure" online password that I've been using for about 20 years now for throwaway logins on sites I don't care about. I still use them for creating new accounts even after finding out (to no surprise) that they've been compromised, and I've received the threatening spams containing my password. Because the whole point of using that password is that it is easy to remember and only used on sites that don't matter.

    1. a handle

      Re: I'm using credentials I know have been stolen

      Yes this tends to break the stats. I do this too. Many others will.

    2. Trixr

      Re: I'm using credentials I know have been stolen

      Yup, and in fact, "leaked" creds are great, because there are some older sites where I've used a crappy password associated with my main "social" email address which was later hacked, but I also use that address for sites I care a little bit more about and I use a better pword for those.

      If a leaked password means that they're not going to try and brute-force attack passwords associated with that email address, great. It probably doesn't in fact mean that, but honestly, they can have it.

    3. Brangdon

      Re: I'm using credentials I know have been stolen

      ... and you don't care if they are used for social engineering attacks?

  6. Anonymous Coward
    Anonymous Coward

    *Shrug*

    using a password manager means no repeated passwords, so much less worry. Also I have 2FA enabled more than is convenient.

    1. a handle

      Re: *Shrug*

      Who's password manager? There were password managers that disappeared from the public scene after Snowdon leaked the NSAs tricks.

      1. Anonymous Coward
        Anonymous Coward

        Re: *Shrug*

        I use LastNsa, i mean LastPass.

      2. Anonymous Coward
        Anonymous Coward

        Re: Who's password manager?

        As long as your password manager is a single component of a wider security landscape, it really shouldn't matter.

        However if it's your *only* nod to security it also doesn't matter. They should all be considered compromised.

    2. Gordon861

      Re: *Shrug*

      I think the 2FA has been a great improvement, only worry is if eventually that'll be 'broken' but if it does we're all screwed anyways.

      1. Anonymous Coward
        Anonymous Coward

        Re: 2FA screwed

        No security can be 100%.

  7. dajames Silver badge

    The risk of hijacking was highest for video streaming and adult sites...

    It seems to me that a certain sort of person who wanted to visit a porn site -- or stream pirate video -- might choose to try sets of credentials from a database of compromised passwords until they found some that worked ... and let the embarrassment be someone else's.

    Similarly, if such a person wanted to stream some video from a site that charged for access they might try some third-party credentials until they found some that worked on that site and let someone else pay for their viewing.

    It doesn't surprise me that streaming and porn account for a lot of the cases.

    1. Anonymous Coward
      Anonymous Coward

      Re: The risk of hijacking was highest for video streaming and adult sites...

      Porn.

      I went looking for porn on the web out of curiosity and found so much it amazed me. I now want to know why you even need to enter a name and pw, I feel I should sign up just to see what else there is I am missing.

      When I was a teenager I was limited to the porn mags left in the tractors on my friends farm. I had a deprived childhood compared to today's kids.

      1. Anonymous Coward
        Anonymous Coward

        Re: The risk of hijacking was highest for video streaming and adult sites...

        "Curiosity" - For educational purposes only, right?!

        1. Anonymous Coward
          Anonymous Coward

          Re: The risk of hijacking was highest for video streaming and adult sites...

          Be thankful - I watched the porn so you don't have to!

      2. Anonymous Coward
        Anonymous Coward

        Re: The risk of hijacking was highest for video streaming and adult sites...

        <quote> I now want to know why you even need to enter a name and pw, I feel I should sign up just to see what else there is I am missing.</quote>

        Gotta have the bookmarks of your favourites _somewhere_?

      3. Anonymous Coward
        Anonymous Coward

        Re: The risk of hijacking was highest for video streaming and adult sites...

        Oh please don't use that hoary old "when I was a lad I found porn in the woods / a bus shelter / railway lines" etc.

        It's beyond clichéd

        1. Anonymous Coward
          Anonymous Coward

          Re: The risk of hijacking was highest for video streaming and adult sites...

          It's beyond clichéd

          It's also the truth. Or where do YOU think people got porn from, before it was available online?

        2. Muscleguy Silver badge

          Re: The risk of hijacking was highest for video streaming and adult sites...

          I found some under the carpark stairs where I stashed the papers for the second half of my morning paper run. I went back through so why carry them? I suspect some nice people leave them around as educational sources when they've finished with them. This was left in the dry under the stairs.

          It happens. It may be a cliché but doesn't stop it being true.

          1. Anonymous Coward
            Anonymous Coward

            Re: The risk of hijacking was highest for video streaming and adult sites...

            Boy scout paper drives sponsored by the local Lutheran Church. As G*d is my witness.

          2. Anonymous Coward
            Anonymous Coward

            Re: The risk of hijacking was highest for video streaming and adult sites...

            I remember in the 90's we used to go out making dens, and riding bikes through the local woods, den building always meant searching for appropriate materials for cover, I remember finding on several occasions porn mags and VHS cassettes in black plastic bags, and in sheds in horse fields. one find was a good 5 min walk from closest road, but our den was directly opposite the entrance to the field, we saw someone stop a car, walk for a bout 10 minutes and come back, driving off in a very angry manner. How much does porn cost? Always thought it was free (even as a kid in the 90's).

    2. Anonymous Coward
      Anonymous Coward

      Re: The risk of hijacking was highest for video streaming and adult sites...

      Wait, some people actually *pay* for p0rn?

  8. Anonymous Coward
    Anonymous Coward

    Cynical me believes....

    that in the near future we might be reading about an unprotected cloudy bucket being found containing.......

    user details from some browser extension used for password research.

    1. Anonymous Coward
      Anonymous Coward

      Re: Cynical me believes....

      But this application shouldn't need to know the current passwords, just whether a hash of the current password matches a hash of the stolen credentials, storing a result (match/no match) and then discarding the hashes..

      If they're going through saving new passwords/password hashes, I suspect they may not be good people...

  9. Anonymous Coward
    Anonymous Coward

    Not all credentials are created equal...

    If the site doesn’t have access to my credit card, who cares?

    If my TheRegister login was cracked (for example) I’d just check to see if they posted anything good.

    My import logins won’t be cracked with brute force unless there’s a flaw in the encryption, and 99.99999% of the worlds population will get their credentials exposed first.

    1. Muscleguy Silver badge

      Re: Not all credentials are created equal...

      My pw for this site is ancient and I used to use to for a lot of sites. But that was with an old work email address which is no longer valid leaving El Reg last man standing.

      Now I use phrase initials with unique endings and I have multiple phrases, from my own unpublished poetry. Crack that.

  10. Stuart Halliday

    Sadly as a Home IT Advisor, most customers don't know or don't care.

    Even got a customer who uses the same password for everything!

    These are people using banking, etc.

  11. Richard Cranium

    Pointless

    If I understand correctly if anyone anywhere has used a password that's been leaked it gets onto the list and you get advised to change *your* PW which relates to a *different* service with a *different* user ID. A leaked PW alone is of little use to anybody.

    I said "Little use" rather than "none" because I guess someone trying a dictionary attack might use the list of compromised passwords as their dictionary but surely any credible login system blocks dictionary attacks these days...

    If the alert were for poor passwords: too short, no use of mixed upper & lower case, numbers and some non-alphanumerics, that would be valid (but annoying when visiting web sites that don't permit non-alphanumerics in passwords).

    Alternatively if the blacklist were just of, say, the top 10,000 passwords then it might be worth advising those using things like "123456", "password", "letmein" and "topsecret" that their choice may be poor (although like others I have a garbage email and UID/password pair I re-use on inconsequential sites like those wanting a login for reasons things like to "get our free whitepaper on..." )

    1. Brangdon

      Re: any credible login system blocks dictionary attacks

      Even if the site blocks dictionary attacks, that doesn't help if they get compromised and their password database is copied. The attacker can then access it directly and circumvent the site's login.

  12. Anonymous Coward
    Anonymous Coward

    "Our results highlight how surfacing actionable security information can help mitigate the risk of account hijacking."

    Jesus sweet Christ, it's Monday morning. Do turn down the corporate speak mumbo-jumbo out of respect for the recently departed weekend.

    And maybe, just maybe, if the lads didn't use corporate action words like that, then common folk might be more apt to change their poorly chosen passwords.

    1. Yet Another Anonymous coward Silver badge

      How did they know "Our results highlight how surfacing actionable security information can help mitigate the risk of account hijacking." is my password?

  13. A random security guy Bronze badge

    It is just password; wait for biometrics related credentials stuffing

    When you have to chop off your fingers or get rid of eyes ...

    https://www.vpnmentor.com/blog/report-biostar2-leak/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020