In a highly connected world where people often re-use their usernames, passwords and credit card information across different websites, apps, software programs, games and emails, is it too late to wonder why there is a constant concern about how protected our data is? In fact, this becomes even more poignant when we’re keying the same set of credentials into our mobile devices on a daily basis.
In a research paper titled ‘Protecting Accounts from Credential Stuffing with Password Breach Alerting’, credential stuffing attacks are hard to protect against due to an asymmetry of knowledge: attackers have wide-scale access to billions of stolen usernames and passwords, while users and identity providers are clueless as to which ones are suspect.
The paper sought to create a privacy-preserving protocol whereby a client can query a centralized breach repository to check if a specific username and password combination is publicly exposed, but without revealing the information being queried. This also means the client can be an end-user, a password admin manager or an identity provider. What the researchers did was to implement a cloud service, hosting access to over 4 billion credentials found in breaches and using a Google Chrome extension as an initial client. The extension, called Password Checkup, can be downloaded for your Chrome browser here.
Using anonymous telemetry from nearly 670,000 users and 21 million logins, the researchers found 1.5% of logins on the web included breached credentials. By raising an alert to the user, 26% of warnings resulted in users migrating to a new password.
In mid-August, Google released two new features for the Password Checkup extension. The first was a direct feedback mechanism where users can inform the research team about issues they face via a quick comment box. The second feature gives users more control over their data. They can opt-out of the anonymous telemetry which the extension reports, including the number of lookups, alert for password change and so on.
While this adds an additional layer of checks on the part of the user or password admin manager, it illustrates one of many task-oriented layered securities which will become commonplace as this trend continues. At least, if you’re a Chrome user, the task seems slightly easier.
For Pixel devices and the other Android 7+ devices, Google services can now verify your identity by using your fingerprint or screen lock instead of a password.
Meanwhile, you can read more about some of their findings here:
Read Next (1): How to create stronger passwords that are harder to crack
Read Next (2): A quick guide to digital defence for the everyday person
Read Next (3): Should you use a VPN? The long and short answer
Read Next (4): Why using a free VPN is a no good, very bad idea
Terence Ang used to be the Supervising Editor for the New Media division in Singapore, where he worked with the editorial teams behind HardwareZone.com and HWM the magazine. In that role, he looked at ways the teams in Singapore can collaborate with the Editors in Malaysia, Philippines, Indonesia and Thailand. Terence is currently the Product Manager but contributes to the blog section whenever he can (or finds something interesting to talk about).