LASER_oneXM

Level 33
Verified
Google announced the release of the Password Checkup Chrome extension designed to keep an eye on current data breaches and announce its users if their accounts have been impacted by recent security breaches.

While Google already resets passwords of user accounts who might have been affected by third-party breaches as part of an effort to limit the potential security impact on its users' accounts, this feature is limited only to Google accounts.

The new Password Checkup Chrome extension was developed to expand Google's data breach protections to cover all other accounts a user might use to log into other websites and apps.

After Password Checkup is installed in Chrome, it will automatically warn the user and suggest a password change whenever it detects that the username and password combination used on the current site is one of over 4 billion credentials Google knows to have been previously compromised in data breach events.
Read more: Google Launches Password Checkup Extension to Alert Users of Data Breaches
 
Last edited by a moderator:

Telos

Level 17
Verified
Content Creator
Pass the tinfoil hat, but I'm supposed to trust Google that this is securely implemented as I send them all my login credentials via a Chrome extension? O wow. I won't store my passwords in Chrome. Why would I do this? It seems the risk of "knowing" may be greater than the risk of not knowing.

Ignorance is bliss.
 

Spawn

Administrator
Verified
Staff member
Thread Moved to Browsers & Extensions to prevent archiving.

Password Checkup helps you re-secure accounts that have been affected by data breaches.
Wherever you sign-in, if you enter a username and password that is no longer safe due to appearing in a data breach known to Google, you’ll receive an alert. Please reset your password. If you use the same username and password for any other accounts, please reset your password there as well.

Password Checkup was built with privacy in mind. It never reports any identifying information about your accounts, passwords or device. We do report anonymous information about the number of look-ups that surface an unsafe credential, whether an alert leads to a password change, and the domain involved for improving site coverage.

You can learn more about how Password Checkup works at Protect accounts that have unsafe passwords - Google Account Help.

Get extension: Password Checkup

Google Blogs:
  1. Protecting your data, no matter where you go on the web
  2. Google Online Security Blog: Protect your accounts from data breaches with Password Checkup
 

Spawn

Administrator
Verified
Staff member
I don't see why not. Your credentials still need to be entered onto the webpage to login, so can be checked by Password Checkup (if installed).

For those privacy-minded folk.
A New Google Chrome Extension Will Detect Your Unsafe Passwords
the company collaborated with cryptographers at Stanford University to devise layers of encryption and hashing—protective data scrambling—that combine to protect the data as it traverses the internet. First of all, the entire database is scrambled with a hashing function called Argon 2, a robust, well-regarded scheme, as a deterrent against an attacker compromising the database or attempting to pull credentials out of the Chrome extension.

Rather than have you download the entire database, the researchers devised a scheme for downloading a smaller subset, or partition, of the data without revealing too much about your specific username and password. When you log into a site, Password Checkup generates a hash of your username and password on your device, and then sends a snippet of it to Google. The system then uses this prefix to create the smaller subset of breached username and password data to download onto your device. "This provides a strong anonymity set where there’s basically hundreds of thousands of usernames and passwords that would fall into that prefix, but we have no idea which they are," Thomas says. "When you sign in you send that little prefix to Google and we give you every account that we know to download."

To index into your subset of the database, your device signs your encrypted username and password with a key only it knows and sends it to Google. Next the company signs it with its own secret key, then sends it back to your device, which decrypts it with its key. After this handshake is complete, the data is finally in the right state of encryption and hashing to do a compatible local lookup on your device against the portion of the database you've downloaded. The idea is that everything is encrypted all the time to make the data as indecipherable and useless to a potential attacker—or Google itself—as possible at every phase.
Correct if wrong.
 

Nevi

Level 4
Verified
I just saw Google will start a plug in in Chrome, that check PWs used. A new Chrome Extension from Google called Password Checkup will automatically check whether your passwords have been exposed in a data breach. Once installed, the extension checks any login details you use — Google says “most” US sites are supported — against a database of around four billion usernames and passwords, and warns you if it finds a match.
I think it's a great addition.
 
  • Like
Reactions: Weebarra

Spawn

Administrator
Verified
Staff member
Not everyone knows about HaveIBeenPwned, nor want to register to something less known, even though it provides a service to others. I like to consider this as an extra layer or as an alternative to HIBP or services provided by your password manager.

is this extension good to have?
It's not mandatory, but something to consider if you are interested.
 

Brie

Level 9
Verified
Not everyone knows about HaveIBeenPwned, nor want to register to something less known, even though it provides a service to others. I like to consider this as an extra layer or as an alternative to HIBP or services provided by your password manager.


It's not mandatory, but something to consider if you are interested.
:giggle:
thank you.
 
  • Like
Reactions: Nevi and Weebarra

DeepWeb

Level 24
Verified
People are really worried that Google will leak your passwords? When has that happened? It's more likely that every other website will leak your password before Google does. Their security engineers are the best, heck some of them invented the security protocols we use. This is a highly useful tool.
 

L0ckJaw

Level 11
Verified
Content Creator
Any good password manager checks this for you, for example : Bitwarden, Avira Password Manager pro, etc.
No need to install a Google extention.
 
  • +Reputation
Reactions: Seyyed Akram