
11 "boffins"
... to parse stats?
Between February and March this year, after Google released a Chrome extension called Password Checkup to check whether people's username and password combinations had been stolen and leaked from website databases, computer scientists at the biz and Stanford University gathered anonymous telemetry from 670,000 people who …
These days it is usual for papers to detail what each author added to the research. So why don't you look at the pdf and find out? The specialisms these days may astound you.
Personally I'm published in Nature. I was doing 4 dimensional aberrant muscle anatomy in wholemount mouse embryos. Hence my monniker. I leave and breathe mouse muscle anatomy.
Looking (quickly) at the paper, it doesn't look like it's the Reg screwing up either... they've got a table in there:
Extension users 667,716
Logins analyzed 21,177,237
Domains covered 746,853
Breached credentials found 316,531
Warnings ignored 81,368 (26%)
Passwords reset 82,761 (26%)
Reading the surrounding pages doesn't really explain anything additional relating to the left over balance either.
"1.5 per cent of over 21 million logins were vulnerable ... the paper says, noting that the figure is significantly less than a 2017 study where the rate was 6.9 per cent."
Ah, research papers. Everybody on board with *eleven* researchers named. Massive hole obvious in statistics (though perhaps mentioned in the actual paper?) because too close to subject?
It was 1.5% instead of the expected >5% *because* these were the people who knew enough to be concerned about security and installed an extension to check up on themselves, yes? The studied population in no way reflects the general public.
But then again the behaviour in reaction to notifications does sound quite 'normal'. Lack of round tuits in view.
BTW: did the paper mention anonymisation in conducting the study?
They are my standard "insecure" online password that I've been using for about 20 years now for throwaway logins on sites I don't care about. I still use them for creating new accounts even after finding out (to no surprise) that they've been compromised, and I've received the threatening spams containing my password. Because the whole point of using that password is that it is easy to remember and only used on sites that don't matter.
Yup, and in fact, "leaked" creds are great, because there are some older sites where I've used a crappy password associated with my main "social" email address which was later hacked, but I also use that address for sites I care a little bit more about and I use a better pword for those.
If a leaked password means that they're not going to try and brute-force attack passwords associated with that email address, great. It probably doesn't in fact mean that, but honestly, they can have it.
It seems to me that a certain sort of person who wanted to visit a porn site -- or stream pirate video -- might choose to try sets of credentials from a database of compromised passwords until they found some that worked ... and let the embarrassment be someone else's.
Similarly, if such a person wanted to stream some video from a site that charged for access they might try some third-party credentials until they found some that worked on that site and let someone else pay for their viewing.
It doesn't surprise me that streaming and porn account for a lot of the cases.
Porn.
I went looking for porn on the web out of curiosity and found so much it amazed me. I now want to know why you even need to enter a name and pw, I feel I should sign up just to see what else there is I am missing.
When I was a teenager I was limited to the porn mags left in the tractors on my friends farm. I had a deprived childhood compared to today's kids.
I found some under the carpark stairs where I stashed the papers for the second half of my morning paper run. I went back through so why carry them? I suspect some nice people leave them around as educational sources when they've finished with them. This was left in the dry under the stairs.
It happens. It may be a cliché but doesn't stop it being true.
I remember in the 90's we used to go out making dens, and riding bikes through the local woods, den building always meant searching for appropriate materials for cover, I remember finding on several occasions porn mags and VHS cassettes in black plastic bags, and in sheds in horse fields. one find was a good 5 min walk from closest road, but our den was directly opposite the entrance to the field, we saw someone stop a car, walk for a bout 10 minutes and come back, driving off in a very angry manner. How much does porn cost? Always thought it was free (even as a kid in the 90's).
But this application shouldn't need to know the current passwords, just whether a hash of the current password matches a hash of the stolen credentials, storing a result (match/no match) and then discarding the hashes..
If they're going through saving new passwords/password hashes, I suspect they may not be good people...
If the site doesn’t have access to my credit card, who cares?
If my TheRegister login was cracked (for example) I’d just check to see if they posted anything good.
My import logins won’t be cracked with brute force unless there’s a flaw in the encryption, and 99.99999% of the worlds population will get their credentials exposed first.
My pw for this site is ancient and I used to use to for a lot of sites. But that was with an old work email address which is no longer valid leaving El Reg last man standing.
Now I use phrase initials with unique endings and I have multiple phrases, from my own unpublished poetry. Crack that.
If I understand correctly if anyone anywhere has used a password that's been leaked it gets onto the list and you get advised to change *your* PW which relates to a *different* service with a *different* user ID. A leaked PW alone is of little use to anybody.
I said "Little use" rather than "none" because I guess someone trying a dictionary attack might use the list of compromised passwords as their dictionary but surely any credible login system blocks dictionary attacks these days...
If the alert were for poor passwords: too short, no use of mixed upper & lower case, numbers and some non-alphanumerics, that would be valid (but annoying when visiting web sites that don't permit non-alphanumerics in passwords).
Alternatively if the blacklist were just of, say, the top 10,000 passwords then it might be worth advising those using things like "123456", "password", "letmein" and "topsecret" that their choice may be poor (although like others I have a garbage email and UID/password pair I re-use on inconsequential sites like those wanting a login for reasons things like to "get our free whitepaper on..." )
"Our results highlight how surfacing actionable security information can help mitigate the risk of account hijacking."
Jesus sweet Christ, it's Monday morning. Do turn down the corporate speak mumbo-jumbo out of respect for the recently departed weekend.
And maybe, just maybe, if the lads didn't use corporate action words like that, then common folk might be more apt to change their poorly chosen passwords.