Alerted to exposed credentials, users do something about it roughly a quarter of the time
Between February and March this year, after Google released a Chrome extension called Password Checkup to check whether people's username and password combinations had been stolen and leaked from website databases, computer scientists at the biz and Stanford University gathered anonymous telemetry from 670,000 people who installed the add-on.
On Friday, the boffins – Kurt Thomas, Jennifer Pullman, Kevin Yeo, Ananth Raghunathan, Patrick Gage Kelley, Luca Invernizzi, Borbala Benko, Tadek Pietraszek, and Sarvar Patel, and Elie Bursztein from Google, with Dan Boneh from Stanford – presented a paper describing the results of their data gathering at the USENIX Security conference.
The paper [PDF], titled "Protecting accounts from credential stuffing with password breach alerting," reveals that about 1.5 per cent of logins on the web involves credentials that have been exposed online.
"During this measurement window, we detected that 1.5 per cent of over 21 million logins were vulnerable due to relying on a breached credential – or one warning for every two users," the paper says, noting that the figure is significantly less than a 2017 study where the rate was 6.9 per cent.
For the 28 day period, 316,531 logins involved leaked credentials. Warnings sent to users were then ignored about a quarter of the time (26 per cent); these notifications also resulted in password resets about 26 per cent of the time.
The researchers suggest three potential explanations: that users may not believe the ri ..