When we get a list, first, we check to see if it actually matches any accounts and passwords in our system. This is done in an automated and secure way so no human actually sees the account info of our customers.
You’d be surprised how often the lists – especially the publicly posted ones – are complete garbage with zero matches. But sometimes there are hits – on average, we see successful password matches of around 20% of matching usernames. A recent one only had 4.5% overlap. This is actually exciting because it means that, on average, 80% of our customers are following safe password practices, and this reflects a growing sophistication in our customers.
Next, we look to see if there is evidence of criminal activity, like sending spam. If we do see signs of criminal activity, we suspend the account and ask the rightful owner to go through account recovery to regain control. In other cases we simply ask the customer to change their password (before any harm can be done)...
One in five reuses passwords across services
Posted on Tuesday, July 17 2012 @ 13:38 CEST by Thomas De Maesschalck