It seems nothing can persuade people to change their passwords account-by-account — not even knowing a password has been compromised and should no longer be used.
This week, Google released the results of a security study, revealing that 26 percent of users who were told one of their passwords had been leaked in a data breach ignored prompts to change those very same compromised passwords.
In February Google rolled out a breach notification service as part of Chrome's 'Password Checkup' extension. The 670,000 users who installed the extension had their credentials -- anything they used to log into accounts while using Chrome -- checked against 4 billion sets of usernames and passwords exposed in past data breaches.
Of the 21 million sets of account credentials scanned by Password Checkup, 316,000 — or 1.5 percent — had already been compromised.
The Password Checkup extension told those users which of their credentials had been compromised. and prompted the users to change their passwords via a convenient pop-up window. Despite those alerts, more 81,000 account holders — or 25.7 percent of those warned — ignored the call to action.
Why not change the passwords?
The researchers offered several reasons for why users might want to stick with compromised passwords.
Users may have made risk assessments that an impacted account might not be worth the effort of conjuring a new password. They might not have control over the account. Or, because the extension doesn't automate a password reset, users might ignore the warning due to lack of guidance. (You can read the entire academic paper here.)
On the other hand, 26.1 percent of persons who were warned of compromised passwords did generate new passwords. Google's study did not disclose how the remaining 48.2 percent of the 316,000 warned account holders responded to the warning.
Credential stuffing ...
This data reaffirms why hackers use "credential stuffing" and "password spraying" attacks on online accounts.
Credential stuffing attacks people who re-use passwords on multiple accounts. Attackers take thousands or even millions of known username-password sets and try to use each, one after another, to log into widely used online services.
Because many people reuse the same credentials again and again, the attackers will be able to get into many online accounts — no matter how strong a password might be.
So if "Alex Smith" uses "email@example.com" and "kitty5555" to log into many online services, then a data breach at only one service will let attackers log into all of those accounts.
...vs. password spraying
Password spraying hits people who use weak passwords. Attackers take valid, or likely-to-be-valid, usernames and try to log into online services with them while guessing or "brute-forcing" the associated passwords. They use lists of common, weak passwords such as "password" or "123456", and can also generate likely passwords, such as by adding numerical strings to commonly used words.
So an attacker could get "firstname.lastname@example.org" from a list of email addresses, or just assume that someone would use it, and then try to log into online accounts with that username and the top 10,000 most common or easily generated passwords. They would get to "kitty5555" before too long.
Whether the attacker uses credential stuffing or password spraying, the end result is the same: Your account has been compromised. And if you've reused passwords, then they've opened the door to many of your online accounts.
The defense against credential stuffing is simple: Use a unique password for each and every online account. The defense against password spraying is also simple: Use a strong, hard-to-guess password for each and every online account.
You've heard it before and you'll hear it again: use unique, strong passwords for each site. If you're warned a password has been compromised, change it, and consider using a password manager going forward. We've even reviewed the best services for your convenience.