Passwords are becoming archaic in terms of business-fronted operations, but within consumer services such as email clients that are still a first line of defense. A new Google study shows that users are still not changing their passwords even when they are told the account the password is used for has been compromised.

According to Google data, users are using credentials that have previously been compromised. The company studied password login behavior from 670,000 users who used the company’s Password Checkup Chrome extension. Those users logged into websites using the tool a total of 21 million times.

If you’re unfamiliar with Password Checkup extension, it allows users to see if their credentials have been breached previously. To check the data, Google leverages a password database showing past breaches.

When a user signs into a website when using Password Checkup, the tool will check the username and password against 4 billion from the database to see if it has been compromised.

In its study, Google shows 1.5% of those 21 billion logins were using passwords that have previously been compromised. That totals 316,531 users who are using passwords that have previously been breached.

Furthermore, the company says this number would likely be higher if people had not downloaded Password Checkup.

New Features

Google also announced two new features for Password Checkup:

“Today, we are also releasing two new features for the Password Checkup extension. The first is a direct feedback mechanism where users can inform us about any issues that they are facing via a quick comment box. The second gives users even more control over their data.

It allows users to opt-out of the anonymous telemetry that the extension reports, including the number of lookups that surface an unsafe credential, whether an alert leads to a password change, and the domain involved for improving site coverage.”