August 17, 2019 at
Online giant Google recently released the
findings of its broad study about password habits. The results show why
cybercriminals keep implementing the so-called password spraying attacks
online: it is because the user community is incredibly naive and continually
stick with the same old passphrases, even when they have been repeatedly warned
that they have been hacked.
The results of the study are extremely worrying from a security standpoint: Google shows that people are sticking with passwords that have already been hacked, and it is increasingly evident that bad habits at the time of choosing a passphrase are very difficult to modify. People keep ignoring even the most basic security tips, and they look away when they get warnings about possible breaches.
Getting to Know the Password
The password spraying approach has been
gaining steam as a brute-force technique, or as a resource to guess passphrases
and dodge security systems that lock the user account when a specific amount of
wrong guesses has been introduced.
Even officials of the American government recently warned people that Iranian cybercriminals have been implementing the password spraying approach in order to inject dangerous malware on specific networks. They used the technique to hack Citrix, a known tech firm, and subsequently steal lots (approximately 6 TB) of valuable data.
Just as a water spraying machine ‘sprays’ the
liquid over the lawn or any other chosen setting, password spraying refers to a
hacker or group collecting a huge number of account usernames and then clicking
or tapping the login button with some of the worst and most straightforward to
guess passwords. Playing by the odds, at least a small percentage of the
attempts will result in a successful login.
The Top Five of the Hacked
According to Microsoft’s team of cybersecurity
experts, the most commonly used passwords in spraying attacks are ‘123456’,
‘password,’ ‘000000’, ‘1qaz2wsx’, and ‘a123456’. Those are the top five.
Google’s insight on the matter comes from every one of the 670,000 users of the Chrome browser that installed the Password Checkup item. That’s where they got the information about password habits to conduct the study.
Such a tool has been available since February
2019, and has received positive feedback and compared with Firefox’s Monitor
breach-alert service. The latter offering feeds from compromised data gathered
by the Have I Been Pwned specialists.
Google data is broad enough for it to know
that roughly for billion credentials have already been compromised at some
point. That’s why the Password Checkup service can warn the user if their
password has ever been breached by a hacker or if it is totally secure. More
often than not, however, users ignore the fact that their credentials have been
By the Numbers
Google knows that approximately 1.5 percent of
more than 21 billion login attempts feed on breached credentials, and these
have been implemented in 746,000 domains, all over the Internet.
Of all login attempts, 3.6 to 6.3 percent of
those made in video streaming services and porn platforms were done on
compromised credentials. Approximately 1.9 percent of the login attempts in
news sites came on previously breached passwords, with shopping, email, and
finance sectors being the next closest.
Google made it known that 25.7 percent of the
alerts that it issues to users don’t result on a password change, but 26.1
percent of them do trigger a modification. Of those that opt to alter their
credentials for enhanced security, 60 percent of them aren’t vulnerable to
According to researchers of the global Internet giant, the company’s staffers and researchers defend the notion that their Chrome extension is significantly better than the systems that Have I Been Pwned and Firefox Monitor implement.
The researchers at Google also say that the
rival services are vulnerable to exploits, as well, because of the tradeoff
that they accept: they sacrifice privacy and share lots of account details on