- Password Checkup alerts users to change their passwords in case of a breach
- Google says it does not get users' account details through the extension
- Password Checkup was launched to mark Safer Internet Day
Password security on the internet is crucial in today’s world, where data breaches have become almost a daily occurance. When huge troves of personal user data from a website or an online database leaks, it is usually accompanied by unique combinations of usernames and passwords of millions of people. In many cases, these data leaks are found out by security researchers, who then make their discoveries public and inform affected users to change their credentials. Google is one such company that possesses information of over 4 billion credentials that have been compromised in various security breaches around the world. To address the issue, the company aptly announced its Password Checkup Chrome extension to mark Safer Internet Day on February 5.
Password Checkup can be downloaded as an extension from the Chrome Web Store and it functions just like HaveIBeenPwned. The service basically matches your login credentials with its database of breached usernames and passwords and alerts you if it finds that your credentials were ever a part of a data leak. In case your credentials are a match, the extension will trigger an automatic warning and suggest that you change your password.
Bear in mind that when the Password Checkup extension is up and running on your Chrome browser, Google will be reading your usernames and passwords every time you log into a website. However, the company says that this private information will never be revealed to Google. Stressing on how secure the Password Checkup tool is, Google says that it is designed to withstand hacks and that all statistics reported by the extension are anonymous. “These metrics include the number of lookups that surface an unsafe credential, whether an alert leads to a password change, and the web domain involved for improving site compatibility,” Google explains in a blogpost.
Google further notes that Password Checkup will only send users alerts in case it finds a possible breach of their credentials and will not prompt users to change outdated or weak passwords like “123456”. Coincidentally, “123456” topped the list of the weakest passwords of 2018 according to SplashData.
Google’s approach with Password Checkup is actually a genius way of bringing a HaveIBeenPwned-like service to the browser. The only difference being that HaveIBeenPwned also allows people to check if their email IDs have ever been part of a breach. Given that the website has been doing this a long time, its database of previous breaches is large. Just recently, a massive set of 773 million records were leaked in one of the biggest single data breaches ever to go public. The leak included 2.7 billion rows (2,692,818,238 rows to be exact) of emails and passwords, and the hack was first reported by security expert Troy Hunt who created and runs HaveIBeenPwned.
How Password Checkup works
To make Password Checkup a secure platform, Google says it uses multiple rounds of hashing, k-anonymity, private information retrieval, and a technique called blinding. When you log into a website, Google sends a strongly hashed and encrypted copy of your account details to its servers, ensuring the company cannot access it since the decryption key is stored on the user's machine. Google then uses blinding and private information retrieval techniques to search the database of unsafe usernames and passwords. The company says that the final check of whether username and password were part of a breach is completely local and on-machine.
Since this is a first version of Password Checkup, Google says that it will continue refining the extension over the coming months.