Google’s new Chrome extension flags insecure passwords

As the number of compromised and leaked credentials rises inexorably with each passing day, Google has decided to help users choose safe combinations for all their online accounts.

To that end, the company has released a new Chrome extension called Password Checkup.

About Password Checkup

Once installed, Password Checkup appears in the browser bar. It springs into action when the user uses a username/password combination that is one of over 4 billion that Google knows to be unsafe.

The user can then ignore or act on the warning to prevent account hacking.

“We designed Password Checkup to only alert you when all of the information necessary to access your account has fallen into the hands of an attacker. We won’t bother you about outdated passwords you’ve already reset or merely weak passwords like “123456”,” the company explained.

“We only generate an alert when your current username and password appear in a breach, as that poses the greatest risk.”

Jake Moore, cyber security expert at ESET UK, noted that this is an excellent way to remind many people about their possibly weak or compromised passwords that need to be updated.

“It would be an incredible feat to have not had one of your passwords stolen in a data breach in recent years, so hopefully, Google’s new tool will be a way of highlighting this and reminding you to change it,” he pointed out.

Trusting Google or not?

For those worried about their credentials ending up in Google’s hands or the hands of hackers who might compromise or abuse the extension, the company offers reassurance.

“At a high level, Password Checkup needs to query Google about the breach status of a username and password without revealing the information queried. At the same time, we need to ensure that no information about other unsafe usernames or passwords leaks in the process, and that brute force guessing is not an option. Password Checkup addresses all of these requirements by using multiple rounds of hashing, k-anonymity, private information retrieval, and a technique called blinding,” the company shared.

This infographic depicts the credential-checking process that happens under the hood when Password Checkup detects credentials being entered in a login page:

The whole point is that both Google or potential attackers can only access credentials in their hashed and encrypted form.

Google also means to publish a paper with the details about the extension’s underlying protocols and cryptographic principles, so that independent experts might evaluate them.

Still, the extension is “an early experiment” and needs to be perfected. The research scientists who created it told Wired that they’ve skewed the results toward zero false positives to prevent giving users warnings based on similar but slightly different passwords or the same password that was compromised for a different person.

Those who still feel uncomfortable with checking their passwords with a tool made by Google can use other tools like Pwned Passwords.

“After all the recent new breaches there’s no better time for users to update all their passwords anyway,” Moore advised.