Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Google IT

Hundreds of Thousands of People Are Using Passwords That Have Already Been Hacked, Google Says (vice.com) 58

A new Google study this week confirmed the obvious: internet users need to stop using the same password for multiple websites unless they're keen on having their data hijacked, their identity stolen, or worse. From a report: It seems like not a day goes by without a major company being hacked or leaving user email addresses and passwords exposed to the public internet. These login credentials are then routinely used by hackers to hijack your accounts, a threat that's largely mitigated by using a password manager and unique password for each site you visit. Sites like "have I been pwned?" can help users track if their data has been exposed, and whether they need to worry about their credentials bouncing around the dark web. But it's still a confusing process for many users unsure of which passwords need updating.

To that end, last February Google unveiled a new experimental Password Checkup extension for Chrome. The extension warns you any time you log into a website using one of over 4 billion publicly-accessible usernames and passwords that have been previously exposed by a major hack or breach, and prompts you to change your password when necessary. The extension was built in concert with cryptography experts at Stanford University to ensure that Google never learns your usernames or passwords, the company says in an explainer. Anonymous telemetry data culled from the extension has provided Google with some interesting information on how widespread the practice of account hijacking and non-unique passwords really is.

This discussion has been archived. No new comments can be posted.

Hundreds of Thousands of People Are Using Passwords That Have Already Been Hacked, Google Says

Comments Filter:
  • I never had to expose my password

  • We have been telling the users this forever.
    How we just stop and then laugh at them when their shit gets hacked. That prolly (will not) get them to properly manage their passwords.
    • No, it's your guys' fault for not salting and hashing passwords properly (thus preventing attackers from trying the same password with other services.) There's no reason to not create standards that mandate this happen on both clientside (so we can audit it ourselves and make 100% sure it's properly happening, damnit) as well as serverside. It's perfectly possible for us to fix things so that the only risk of password reuse is if the device you're using is compromised (which is a risk of course, but I suspe
      • No, it's your guys' fault for not salting and hashing passwords properly

        I always used "SaltedHash1" as my password, I still got hacked! In fact, this isn't me writing this, it's someone who hacked my Slashdot account.

      • Addendum: Weak (brute-forcible) passwords aren't good to reuse for the same reason they aren't good, period. But a robust salt and hash scheme should protect strong passwords quite well. If the password is strong and is securely handled on the end user's device (isn't stored locally and is wiped in ram immediately after use), nothing short of a keylogger or some exploit to intercept it in ram at just the right moment would make password reuse risky.
      • The big issue is why isn't client side certificates standard. You should create one account probably with the browser manner, then get a client side cert signed by a ca to identify you to every website. Simple. You can then expert and import to other browsers. Instead we have this absurd standard practice on internet for users to check identify of servers via certs, but servers to check users via passwords..... Makes no sense. Then we have neither Google, Apple, not Microsoft doing a good password mana
    • by Puls4r ( 724907 )
      Right. The users (who probably use 100s of websites) are supposed to come up with unique passwords that use a capital letter, symbol, lower case letter, and number. For each and every website. And remember them too.

      Or they course use a password manager - that not be able to get in to the websites if there's a problem. Or if someone hacks the password manager. Or... Or...

      There's no easy way to fix this - but blaming it on the end user is the height of arrogance.
      • The easy way would be for a CA to allow users to create a client cert. Users then load the encrypted client cert into the browser using a single password to decrypt. Every site can now verify user identity via the cert. One password and one cert for every user. Simple.
        • One cert and one password to hack for every website the user uses. I fail how to see this fixes the problem. I reuse passwords for sites that don't matter, if someone hacks some fucken forum on whatever and posts as me I don't give a shit. I use unique passwords for sites that DO matter, banking, email (for resetting passwords) cloud storage etc. Sometimes I just want to say thanks to someone on a forum who posted an answer to an issue I was having (that someone else asked) and I have to register blah b
  • by bobbied ( 2522392 ) on Friday August 16, 2019 @11:59AM (#59094284)

    How about Millions or Billions?

    Face it, you are massively underestimating the number of stupid people out there.

    • by gweihir ( 88907 )

      Since estimating password strength requires some advanced Mathematics, I mostly fault the incompetence of the CS community in coming up with sane guidelines for creating this mess.

      • by garyisabusyguy ( 732330 ) on Friday August 16, 2019 @12:24PM (#59094384)

        Complex password requirements usually result in people writing them down and sticking them to their monitor or keyboard

        Also, most cracking software does not rely on simple dictionary attacks, so complex passwords really are not the panacea they seem to be

        The primary problem is that businesses that develop apps do not put security first and even if they did, proper security standards for software development do not exist

        If companies and developers cannot produce secure software, then forcing people to follow password guidelines is just kabuki

        • by gweihir ( 88907 )

          Indeed. And if there were not so many businesses that do not even understand the basics of secure password storage and then got hacked, the attackers would never have gotten this much data bout what passwords users chose.

          I think we will eventually need what all other engineering disciplines have: Strong requirements as to qualification. That will make coders much more expensive, but it will be well worth the price.

        • by tlhIngan ( 30335 )

          Also, most cracking software does not rely on simple dictionary attacks, so complex passwords really are not the panacea they seem to be

          Indeed. While a complex password does increase the keyspace, once you introduce the human element, the increase in keyspace goes form exponential to linear.

          Enough that password crackers will try common substitutions as part of a dictionary attack.

          Say for "password", a cracker will also try "passw0rd", "pa55word", "pa55w0rd", "p4ssword", "p455word" .... "Password", "Passw0rd

        • Complex password requirements usually result in people writing them down and sticking them to their monitor or keyboard

          My wife has a little black book in her top drawer with all her passwords in it (not her important ones).
          Her argument is that someone has to physically break into the house, force open the drawer and take the book.
          Unless someone...
          a) knew the book was even there
          b) actually cared enough to circumvent the home security alarm, armed response, guard dogs etc. to get to the book
          They would p

          • by reg ( 5428 )

            The trick is to write the passwords down incorrectly, but just wrong enough that you know how to fix it easily... Like adding one to all the digits, or using "$" instead of "#". That way you only have to remember a little fix, but whoever has the book will spend a long time trying to correct it, and because they've taken the time to get the book there is a much higher chance that they'll lock themselves out. A good chunk of online risk is offline attacks against a hash, where the three strikes doesn't ap

            • That's how I write down my passwords at work--shorthand. Big 6 little 78 means hold Shift and type down from 6: ^YJM and then let go of shift and type down 7ujm and 8ik,

              Other folks have to first see it, I have sticky notes all over the place, and then know what it means. And they have to realize the 6 is that much bigger than the 7 and 8.
        • complex passwords really are not the panacea they seem to be

          This statement is similar to the panic after Edward Snowden went public when people were claiming encryption doesn't protect communications. A properly constructed random password of sufficient length would take weeks or months to crack if possible at all.

          There will always be insecure websites/servers/databases, just like there will always be pirated music/movies/ebooks. Deplorable but a reality. This is why for authentication/authorisation, we need to create good passwords (for the sites that aren't hacked

        • by reg ( 5428 )

          Another problem is that the more complex the password the easier it is to spot in the key log. Which is why passphrases like "copy readme.txt C:\Temp\" or "=SUM(A1:B6)*C2+if(D1=0,A1,B1)" are good... Those are also good for saving on disk in sneaky files like "copyfiles.bat" and "Book6.xlsx", rather than "mysecretpasswords.txt".

    • And you're also massively underestimating the number of smart people out there.

      I've got multiple tiers of passwords. Some sites have information that I just don't care to protect because it is of little value. For example, you make me create an account to print a recipe? Ok, I'm gonna use a really lame-but-easy username/password combination that I've used all over the place and have been involved in hacks. Because it just doesn't matter if someone knows I printed a recipe for a cake.

      My bank? That's got

    • by nnull ( 1148259 )
      I use the same password for stupid sites that want me to register. Fake name, same password, I don't care if it gets hacked. Everything else is with keepass.
  • How about website devs work with LastPass, etc, to make it much easier to change my password? Can it be gotten down to a single click process and still be secure? Ie, a ubiquitous "1-Click Update Password" at the top of any site you are logged into?
    • And what happens when LastPass gets hacked?
      • The same thing that happens when the AWS control plane gets hacked: the shit hits the fan for a LOT of people. All sorts of havoc breaks loose for a while. Then we mop up the mess and carry on.

        Neither of these things have happened yet, to the best of my knowledge. But eventually they WILL happen.

        Security is illusive. There is no "secure" system, only "more secure". Or "less insecure" if you're feeling pessimistic.

  • ... companies have thrown many things online that don't need to be in order to maximize profits. Let's not mince words here, when you make every app or game online and force login registration in order to access said game or app, what exactly do you think the masses are going to do?

    Let's not try to simply blame the public here, companies are obsessed with undermining peoples basic rights to privacy and software ownership. It would really help if companies limited the # of login attempts from an IP block t

    • The problem is also using setting up a system where every site/service has its own password, writing its own authentication. Not only does it mean that people have hundreds of passwords to manage, but some of them are going to do a bad job securing them.

      We should really come up with a better system for authentication. There should probably be some mix of PKI and SSO for individual use instead of requiring Enterprise-grade setups to avoid needing a password manager.

    • Yep. I most likely am using compromised password/email combinations. But only on sites I don't give a shit about. Sites, like you note, that make me make a login even though there's no reason to need to do so.

      Given that I have zero faith in their ability to do security, I'm definitely not going to worry about using a strong password on a site where I don't see a reason to have a login in the first place.

    • My company requires I remember 14 independent passwords/PINs for work alone. I have multiple computer logins, voicemail, building security code, proxy, reimbursement, HR portal, VPN, spec database, etc. Many have to be changed quarterly, others have not changed in 5 years. Many are used only annually (performance review system) such that it is easier to just reset it annually than try to deal with it. I then have probably another 30+ passwords for personal purposes, again many that are used quite infreq

  • Stepping into bathtubs, leaving their homes, accepting many kinds of risks in exchange for better living. Most are rational and will prioritize their security matters pragmatically.

  • So this Google tool scrutinizes my password to determine if they already have it. That's interesting. They do now...

    • by Pieroxy ( 222434 )

      If you enter a password in Chrome, they could have it already. The extensioin oesn't really change anything. It's not as if it sends the password to Google anyways.

  • by gweihir ( 88907 ) on Friday August 16, 2019 @12:09PM (#59094322)

    The issue here is that for a long, long time most advice on passwords, and especially requiring it to be changed regularly, was bad. For example, there was this utterly stupid advice that you should not write down passwords, when in fact that is entirely fine as long as you do not make it obvious what they are for. Basically no hacker will steal your wallet as that requires physical access. And your wallet being stolen is not only a rare event, it is pretty noticeable.

    Hence most people are completely clueless how to handle passwords. They are also clueless about how to chose them (and the usual guidelines about lower/uppercase , numbers and special symbols are just stupid and harm much more than they help) and they are clueless about how strong they are (even CS students often struggle with that). Hence this mess. It is a mess created IMO in equal parts by missing user education (this topic should be taught in schools) and far too much false and sometimes outright harmful "information" floating around. The latter is the fault of the CS community, and most decidedly not of the users.

    tl;dr: The idea of passwords is fine, but all the myths and wrong advice given has to stop.

    • Don't forget the websites that limit password length, so the "use a passphrase not a password" doesn't work.

      • by gweihir ( 88907 )

        Indeed. And quite a few more stupid things.

        • Like limiting special characters to a subset, because we're too dumb to figure out how to hash and store them and are worried about our script breaking when it sucks them in. I've seen more than a couple websites do this, run by some shockingly large companies.

    • by Dixie_Flatline ( 5077 ) <vincent@jan@goh.gmail@com> on Friday August 16, 2019 @12:50PM (#59094456) Homepage

      I think we should also teach people that not all passwords are equally as valuable.

      I use the same password for a bunch of forum sites and low-value logins. If the password is hacked and the information stolen, whatever. None of it is particularly valuable to me, so it gets a pretty weak password.

      My bank password is randomly generated, stored in a vault, and will change immediately if the bank ever hints at having been compromised. In truth, I don't even know what it is, and I have to have my phone with me if I want to log into my bank's website. I only memorize one extremely strong password, and that's to my vault, and it's not used anywhere else.

      Stop making people come up with complicated unique passwords for BS forums that they're only on for one question before they leave forever. Reduce the password fatigue.

  • by bobstreo ( 1320787 ) on Friday August 16, 2019 @12:10PM (#59094326)

    for multiple sites like gmail, youtube, play store, google drive... ?

  • Why should I believe the claim on privacy. Is it 100% bug and hack free forever?
  • I only use Facebook for the SSO login. If there was a really true Kerberos key server which a majority of the third party webpages used I would have an account there. But it would have to be running OpenBSD. ;)
  • by stevel ( 64802 ) on Friday August 16, 2019 @12:26PM (#59094386) Homepage

    There are multiple reasons why so many users continue to reuse passwords and to choose hacked passwords. None of them involve the user being "stupid".

    1) Bizarre and often undocumented site policies on which characters a password may contain, leading to choosing simple ones
    2) Sites that limit password length or insist on a 4-digit PIN as the password.
    3) Sites that require frequent password changes in the name of "security" but instead encourage simplistic derivations (add current month number to prefix, etc.)
    4) Sites that interfere with password managers, such as blocking auto-fill or making the manager think the username has changed to asterisks
    5) Password managers that are difficult for non-experts to use reliably, and that's pretty much all of them. I use LastPass and, while it mostly works ok for me, it still sometimes does bizarre things.
    6) Users who think that they are unimportant to hackers or that their accounts have no value, thus they can't be bothered with a strong and unique password for each site.

    Several password managers do automate password changes with hundreds of popular sites, and this mostly works, but first you have to convince the user that it's a good thing to do so. I have relatives who insist on reusing simple passwords, even using a password manager to store them, because they don't trust the password manager.

    None of the browsers I have seen include what I would call good password managers. They can remember and fill in ok, but don't help users pick good passwords and generally don't store the passwords securely as external managers typically do. If the major browsers could up their game here, it would help. Chrome's extension is a good first step, but people have to ask for it first.

    • Thank you stevel. #4 is maddening to me. I've been using Roboform for years now and generate passwords, even for crap websites. Sites that prevent autofill are maddening and require me to copy paste my password from the vault.

      Designers, use throttles to prevent password stuffing on your web forms, not limitations to legitimate uses.

    • "Several password managers do automate password changes with hundreds of popular sites, and this mostly works, but first you have to convince the user that it's a good thing to do so. I have relatives who insist on reusing simple passwords, even using a password manager to store them, because they don't trust the password manager." This worries me, because if the stored data gets corrupted or something else happens to the program, you might find yourself locked out of your account forever, if the site lac
      • "You will still have to log the passwords somewhere in human readable form, and of course, this is a security issue by itself." This would be of course for if the password manager or the machine it's on goes belly up
      • by stevel ( 64802 )

        The password managers I have used all allow for a local, encrypted copy to be saved and provide a way to decrypt the collections without relying on an external service (with the master password, of course). Even if the password manager goes belly-up and/or the cloud server becomes inaccessible, I still have complete access locally to my saved data.(LastPass, for example, by default stores a local encrypted vault copy that is used if the server can't be reached.)

        There's a lot of FUD about risks of password m

  • by Artem S. Tashkinov ( 764309 ) on Friday August 16, 2019 @12:35PM (#59094400) Homepage

    Hundreds of thousands of websites require worthless and meaningless user registration which makes people use the simplest passwords possible 'cause they couldn't care less.

    FTFY

  • Because who is going to remember g%65#6biu belongs to Google and 778$9z!! belongs to Facebook out of a list of a couple hundred unique websites and passwords? It seems every stupid little website needs login credentials these days, it's a sickness. And "password wallets" and other such crap is just a half assed attempt to solve the problem. If something goes wrong with it or it gets 'hacked', you're still fucked. Companies need to stop blame shifting and fix their own damn security issues.
  • Comment removed based on user account deletion
  • You know that key to your filing cabinet? It's the same as that other key to that secret lockable drawer in your bedroom closet. In fact, most shitty keys are one of a dozen popular ones, or one of a few dozen less popular ones. Identical keys, except that one has a picture of mickey mouse on it.

    Your air conditioner sits outside of your house. Accessible by anyone. It doesn't even have a key. It has a screw, and not a security screw either. In fact, the safety shut-off doesn't even have a screw. It

    • You can't stop me from breaking into my friend's e-mail. But it's very easy to make me not want to do it. That's called jail time.

      Your idea doesn't work. Chinese or Bulgarian hackers have no reason to fear jail time for using re-used passwords to get into Americans' online accounts. And they never will.

      • Like I said, law enforcement. No one ever said that it had to be within a single legal jurisdiction. We have plenty of laws that cross borders. We need the same ones for digital access.

  • Your intelligence should feel insulted by Google over this.
  • Here's how to make your passwords unique: Have a phrase that's the same for all passwords. Then append "bank" or "creditcard" or "safeway" etc. to the phrase, for your passwords for your bank, credit card, and Safeway accounts. For example:

    123-iLikepeanutbuttersandwichesbank
    123-iLikepeanutbuttersandwichescreditcard
    123-iLikepeanutbuttersandwichessafeway

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...