The widespread availability of usernames and passwords exposed by data breaches remains a big threat to users and organizations. In response, browsers such as Chrome started alerting users when their credentials appear in breaches. Specifically, whenever a user signs in to or registers on a site, a pop-up notification is triggered if the credentials used have been found in a data breach.
This paper reports the challenges that users experienced and their concerns regarding the Chrome compromised credentials notification. We adopted a two-step approach to uncover the issues of the notification, including qualitatively analyzing users’ online comments and conducting semi-structured interviews with participants who had received the notification.
We found that users’ issues with the notification are associated with five core aspects of the notification: the authenticity of the notification, data breach incidents, Google’s knowledge of users’ compromised credentials, multiple accounts being associated with one notification, and actions recommended by the notification. We also identified the detailed challenges and concerns users had regarding each aspect of the notification. Based on the results, we offer suggestions to improve the design of browser-based compromised credential notifications.
You can find more information in the paper:
Huang Yue, (website, LinkedIn), Borke Obada-Obieh, and Konstantin Beznosov, “Users’ Perceptions of Chrome’s Compromised Credential Notification.” In Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022)
The following video provides a quick overview of the research. You can also watch the video on YouTube.