• by Laurie Sullivan  @lauriesullivan, August 16, 2019

Bad habits are difficult to break, especially when it comes to reusing a sequence of numbers, letters and symbols in passwords.

Since users tend to reuse old passwords, Google in February launched the Password Checkup extension for Chrome. It displays a warning when someone who has signed up signs in to a site using one of the more than 4 billion user names and passwords Google deems unsafe as a result of a third-party data breach.

The Chrome extension does not automate the process of resetting the password. Users can ignore warnings. It does alert the user that the password is not safe and suggests they use another one. 

In other words, the Chrome extension alerts the user if the password was used to secure an account that was breached. These are the most vulnerable passwords. 

Of the nearly 667,716 people who installed the extension and participated in the research between February 5, 2019 and March 4, 2019, Google managed to scan 21 million log-in user names and passwords, flagging 316,000 as unsafe. This mean 1.5% of logins on the web involve breached credentials. About 26% of Google’s warnings led users to use a new password.

Overall, users opted to ignore 81,368 -- or 25.7% -- of the breach warnings.

The research found that users tend to reuse breached log-ins for some of their most sensitive financial, government, and email accounts. Of the 1,684,851 visits to financial sites, 0.3% received warnings and 18.6% were ignored.

This risk was even more prevalent on shopping sites -- where many users save credit card data -- as well as news, and entertainment sites. Of the 1,007,103 visits to shopping sites, 1.2% received warnings and 16.4% were ignored.

Based on the data, the research shows that users reset 26% of the unsafe passwords flagged by the Password Checkup extension, and 60% of new passwords are secure against guessing attacks, which means attackers would need to try more than one-hundred million guesses before identifying the new password.

Some 48% of the users who installed the extension were from North America, while 29% were from Europe, 17% were from Asia, and the remaining 6% were from around the world. About 71% of users who installed the extension used Windows, 14% used MacOS, 13% ChromeOS, and 2% Linux.

The extension, for now, is unavailable on mobile devices.

Along with the data, Google released two features for the Password Checkup extension. The first is a direct feedback mechanism where users can inform Google about any issues they face through a comment box. The second lets users opt-out of the anonymous telemetry the extension reports, including the number of lookups that surface an unsafe credential.