Google publishes Password Checkup extension for Chrome

[Karlston]

Password Checkup is a new browser extension for the Google Chrome web browser by Google that informs users about unsafe usernames or passwords.

 

Internet users have some options when it comes to testing the strength of passwords and finding out if any of their accounts were included in leaks.

 

The Have I Been Pwned database is probably the biggest public database of leaked password; it consists of more than 6.4 billion accounts, and you may check any account email address or passwords against the database.

 

Some password managers support password checks; my favorite tool, KeePass, supports this so that you can check all passwords against the database locally to reveal accounts that need password changes as you should consider any leaked password as compromised.

Password Checkup by Google

 

Google's Password Checkup solution is available as a Chrome extension. It works only with the integrated password manager of the Chrome browser and not if you use third-party password managers such as LastPass or 1Password.

 

Password Checkup uses a different system when it comes to informing users about unsafe credentials.

 

It checks the password that is used to sign in to accounts on the Internet when sign-ins happen against a database of more than 4 billion passwords.

 

 

Google maintains a list of leaked usernames and passwords in hashed and encrypted format, and adds new credentials to it whenever it becomes aware of them.

 

The company notes that the extension and system was designed with privacy in mind because of the sensitive nature of the data. The extension was designed to "never reveal [..] personal information to Google" and "prevent an attacker from abusing Password Checkup to reveal unsafe usernames and passwords".

 

Password Checkup sends an hashed and encrypted copy of the username to Google when users sign in to sites. Google using blinding and private information retrieval to search the database of unsafe credentials; the final check that determines whether the username or password was exposed in a data breach happens locally according to Google.

 

The browser extension display actionable information if the username or password was found to have leaked online. Users are asked to change the password right then and there but it is also possible to ignore the findings for specific sites.

 

Google plans to refine the extension in the coming months. You can check out the post on the Google Security blog for additional information.

Closing Words

Password Checkup uses a different approach to the majority of password leak checkers out there. Username and password are only checked if the user signs in to sites. While that takes some of the stress involved in having to change passwords on dozens or even hundreds of sites, it could mean that a user never becomes aware of credential issues or only after a prolonged period.

 

Additionally, since Google uses its own set of data, it is possible that a leaked password or username is not found in Google's database but in Have I Been Pwnds or others on the Internet (and vice versa).  A quick test showed that Google did not detect breaches for some accounts while Have I Been Pwned did.

 

Google could solve some of the issues of the extension by adding an option to it to check all stored usernames and passwords against its database of leaked credentials.

 

Source: Google publishes Password Checkup extension for Chrome (gHacks - Martin Brinkmann)

[TheEmpathicEar]

I use LastPass. It does this to some degree.