Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Data Protection

Many Users Don’t Change Unsafe Passwords After Being Warned: Google

Google has shared some interesting data collected by the company from users of its Password Checkup extension for Chrome.

Google has shared some interesting data collected by the company from users of its Password Checkup extension for Chrome.

Password Checkup, announced in February, is designed to display a warning to Chrome users whenever they log in to a website using credentials that are known to have been compromised in a third-party data breach. Password Checkup checks the usernames and passwords entered by users against a database containing over 4 billion records.

Google says more than 650,000 have used the extension, and in the first month since its launch it scanned roughly 21 million credentials, of which 1.5%, or 316,000, were marked as unsafe.

However, data collected by the company shows that only 26% of unsafe passwords have been reset and 60% of the new passwords are strong enough to withstand guessing attacks.

Password strength before and after reset

Worryingly, some users have reused compromised passwords for sensitive accounts, including email (0.5%), finance (0.3%), and government (0.2%). The percentage is higher in the case of entertainment (6.3%), news (1.9%), and shopping (1.2%) websites, Google said.

“Outside the most popular web sites, users are 2.5X more likely to reuse vulnerable passwords, putting their account at risk of hijacking,” the tech giant said in a blog post.

Google also announced that it has added two new features to Password Checkup. One allows users to easily send feedback about the extension, while the other gives users more control over their data by allowing them to prevent the tool from sending anonymous telemetry data to Google. This telemetry data includes the number of lookups that reveal unsafe credentials, whether an alert from the extension results in a password reset, and the domain involved.

Advertisement. Scroll to continue reading.

Researchers at Google and Stanford have also published a paper describing a new protocol where a client can query a data breach repository for specific credentials without revealing the queried information.

When it introduced Password Checkup in February, Google also released the results of a survey of 3,000 Americans. The study showed that 53% of respondents understood the value of including letters, numbers and symbols in their passwords, but only 39% did so, and only 23% believed that password length was important.

Related: Google Warns G Suite Customers of Passwords Stored Unhashed Since 2005

Related: Google Helps G Suite Admins Enforce Strong Passwords

Related: Latest Version of Chrome Improves Password Management, Patches 40 Flaws

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...