Posted on August 17, 2019 at 10:12 AM
Online giant Google recently released the findings of its broad study about password habits. The results show why cybercriminals keep implementing the so-called password spraying attacks online: it is because the user community is incredibly naive and continually stick with the same old passphrases, even when they have been repeatedly warned that they have been hacked.
The results of the study are extremely worrying from a security standpoint: Google shows that people are sticking with passwords that have already been hacked, and it is increasingly evident that bad habits at the time of choosing a passphrase are very difficult to modify. People keep ignoring even the most basic security tips, and they look away when they get warnings about possible breaches.
Getting to Know the Password Spraying Technique
The password spraying approach has been gaining steam as a brute-force technique, or as a resource to guess passphrases and dodge security systems that lock the user account when a specific amount of wrong guesses has been introduced.
Even officials of the American government recently warned people that Iranian cybercriminals have been implementing the password spraying approach in order to inject dangerous malware on specific networks. They used the technique to hack Citrix, a known tech firm, and subsequently steal lots (approximately 6 TB) of valuable data.
Just as a water spraying machine ‘sprays’ the liquid over the lawn or any other chosen setting, password spraying refers to a hacker or group collecting a huge number of account usernames and then clicking or tapping the login button with some of the worst and most straightforward to guess passwords. Playing by the odds, at least a small percentage of the attempts will result in a successful login.
The Top Five of the Hacked Passwords
According to Microsoft’s team of cybersecurity experts, the most commonly used passwords in spraying attacks are ‘123456’, ‘password,’ ‘000000’, ‘1qaz2wsx’, and ‘a123456’. Those are the top five.
Google’s insight on the matter comes from every one of the 670,000 users of the Chrome browser that installed the Password Checkup item. That’s where they got the information about password habits to conduct the study.
Such a tool has been available since February 2019, and has received positive feedback and compared with Firefox’s Monitor breach-alert service. The latter offering feeds from compromised data gathered by the Have I Been Pwned specialists.
Google data is broad enough for it to know that roughly for billion credentials have already been compromised at some point. That’s why the Password Checkup service can warn the user if their password has ever been breached by a hacker or if it is totally secure. More often than not, however, users ignore the fact that their credentials have been breached.
By the Numbers
Google knows that approximately 1.5 percent of more than 21 billion login attempts feed on breached credentials, and these have been implemented in 746,000 domains, all over the Internet.
Of all login attempts, 3.6 to 6.3 percent of those made in video streaming services and porn platforms were done on compromised credentials. Approximately 1.9 percent of the login attempts in news sites came on previously breached passwords, with shopping, email, and finance sectors being the next closest.
Google made it known that 25.7 percent of the alerts that it issues to users don’t result on a password change, but 26.1 percent of them do trigger a modification. Of those that opt to alter their credentials for enhanced security, 60 percent of them aren’t vulnerable to guessing attacks.
According to researchers of the global Internet giant, the company’s staffers and researchers defend the notion that their Chrome extension is significantly better than the systems that Have I Been Pwned and Firefox Monitor implement.
The researchers at Google also say that the rival services are vulnerable to exploits, as well, because of the tradeoff that they accept: they sacrifice privacy and share lots of account details on unauthenticated channels.