Hot on the heels of their security tips for Safer Internet Day, Google has announced the Password Checkup Chrome extension. The extension will let you know if the password you’re currently using for a specific site is compromised — matched against a massive database of over 4 billion compromised credentials.
“Password Checkup was designed jointly with cryptography experts at Stanford University to ensure that Google never learns your username orJennifer Pullman, Kurt Thomas, and Elie Bursztein, Security and Anti-abuse research
password,and that any breach data stays safe from wider exposure. Since Password Checkup is an early experiment, we’re sharing the technical details behind our privacy preservingprotocol to be transparent about how we keep your data secure.”
Once you’ve installed the Password Checkup Chrome extension (link below), the extension icon will appear in your browser bar. If you log in to a website using compromised credentials, Google will alert you with a nice red warning box and strongly suggest you change your password. You also have the option to ignore it for the current site, although that would be HIGHLY unrecommended.
Google goes on to outline the three key principles they followed when designing the extension.
Alerts are actionable, not informational: We believe that an alert should provide concise and accurate security advice. For an unsafe account, that means resetting your password. While it’s possible for data breaches to expose other personal data such as a phone number or mailing address, there’s no straightforward next step to re-securing that data. That’s why we focus only on warning you about unsafe usernames and passwords.
Privacy is at the heart of our design: Your usernames and passwords are incredibly sensitive. We designed Password Checkup with privacy-preserving technologies to never reveal this personal information to Google. We also designed Password Checkup to prevent an attacker from abusing Password Checkup to reveal unsafe usernames and passwords. Finally, all statistics reported by the extension are anonymous. These metrics include the number of lookups that surface an unsafe credential, whether an alert leads to a password
change,and the web domain involved for improving site compatibility.
Advice that avoids fatigue: We designed Password Checkup to only alert you when all of the information necessary to access your account has fallen into the hands of an attacker. We won’t bother you about outdated passwords you’ve already reset or merely weak passwords like “123456”. We only generate an alert when both your current username and password appear in a breach, as that poses the greatest risk.
Of course, whenever usernames and passwords are concerned, there are obvious questions about the underlying process. You can read more at the source link below. In the meantime, Google also published a handy infographic on how Password Checkup works.
Last Updated on February 3, 2021.