Thousands of Chrome Users Won't Change Passwords They Know Are Hacked

Password attempts written on paper.
(Image credit: designer491/Shutterstock)

It seems nothing can persuade people to change their passwords account-by-account — not even knowing a password has been compromised and should no longer be used. 

This week, Google released the results of a security study, revealing that 26 percent of users who were told one of their passwords had been leaked in a data breach ignored prompts to change those very same compromised passwords.

In February Google rolled out a breach notification service as part of Chrome's 'Password Checkup' extension. The 670,000 users who installed the extension had their credentials -- anything they used to log into accounts while using Chrome -- checked against 4 billion sets of usernames and passwords exposed in past data breaches. 

Of the 21 million sets of account credentials scanned by Password Checkup, 316,000 — or 1.5 percent — had already been compromised.

MORE: How to Create and Remember Super-Secure Passwords

The Password Checkup extension told those users which of their credentials had been compromised. and prompted the users to change their passwords via a convenient pop-up window. Despite those alerts, more 81,000 account holders — or 25.7 percent of those warned — ignored the call to action.

Why not change the passwords?

The researchers offered several reasons for why users might want to stick with compromised passwords. 

Users may have made risk assessments that an impacted account might not be worth the effort of conjuring a new password. They might not have control over the account. Or, because the extension doesn't automate a password reset, users might ignore the warning due to lack of guidance. (You can read the entire academic paper here.)

On the other hand, 26.1 percent of persons who were warned of compromised passwords did generate new passwords. Google's study did not disclose how the remaining 48.2 percent of the 316,000 warned account holders responded to the warning.

Credential stuffing ...

This data reaffirms why hackers use "credential stuffing" and "password spraying" attacks on online accounts. 

Credential stuffing attacks people who re-use passwords on multiple accounts. Attackers take thousands or even millions of known username-password sets and try to use each, one after another, to log into widely used online services. 

Because many people reuse the same credentials again and again, the attackers will be able to get into many online accounts — no matter how strong a password might be. 

So if "Alex Smith" uses "alex.smith@gmail.com" and "kitty5555" to log into many online services, then a data breach at only one service will let attackers log into all of those accounts.

...vs. password spraying

Password spraying hits people who use weak passwords. Attackers take valid, or likely-to-be-valid, usernames and try to log into online services with them while guessing or "brute-forcing" the associated passwords. They use lists of common, weak passwords such as "password" or "123456", and can also generate likely passwords, such as by adding numerical strings to commonly used words.

So an attacker could get "alex.smith@gmail.com" from a list of email addresses, or just assume that someone would use it, and then try to log into online accounts with that username and the top 10,000 most common or easily generated passwords. They would get to "kitty5555" before too long.

Whether the attacker uses credential stuffing or password spraying, the end result is the same: Your account has been compromised. And if you've reused passwords, then they've opened the door to many of your online accounts.

The defense against credential stuffing is simple: Use a unique password for each and every online account. The defense against password spraying is also simple: Use a strong, hard-to-guess password for each and every online account.

You've heard it before and you'll hear it again: use unique, strong passwords for each site. If you're warned a password has been compromised, change it, and consider using a password manager going forward. We've even reviewed the best services for your convenience. 

TOPICS
Kate Kozuch

Kate Kozuch is the managing editor of social and video at Tom’s Guide. She writes about smartwatches, TVs, audio devices, and some cooking appliances, too. Kate appears on Fox News to talk tech trends and runs the Tom's Guide TikTok account, which you should be following if you don't already. When she’s not filming tech videos, you can find her taking up a new sport, mastering the NYT Crossword or channeling her inner celebrity chef.

Latest in Online Security
Windows
240 million Windows 10 users are vulnerable to six different hacker exploits — protect yourself now
Victims of Identity Theft
FTC says Americans lost $12 billion to scams last year and these were the worst ones — here's how to stay safe
Apple iPhone 16 Plus Review.
Apple just released an emergency security update for a flaw used in an ‘extremely sophisticated attack’ — update your devices right now
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
An image of a CAPTCHA
Hackers are using reCAPTCHA to trick users into infecting their own PCs with malware — how to stay safe
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Saturday, March 15 (#643)
iPhone 17 Pro render
iPhone 17 Ultra just tipped to replace Pro Max in new leak — with these key upgrades
RCS messaging on an iPhone
Forget green bubbles — iPhones will soon get encrypted RCS messaging to Androids
CAD renderings of the Google Pixel 10 Pro
Latest Google Pixel 10 leak could make you want to skip it altogether
Nintendo Switch 2
Nintendo Switch 2 — analysts say it will be massive hit even with price hike
Jason Sudeikis as Ted Lasso in Ted Lasso season 3
‘Ted Lasso’ season 4 is official — here’s what Jason Sudeikis revealed