Google publishes Password Checkup extension for Chrome - gHacks Tech News

Google publishes Password Checkup extension for Chrome

Password Checkup is a new browser extension for the Google Chrome web browser by Google that informs users about unsafe usernames or passwords.

Internet users have some options when it comes to testing the strength of passwords and finding out if any of their accounts were included in leaks.

The Have I Been Pwned database is probably the biggest public database of leaked password; it consists of more than 6.4 billion accounts, and you may check any account email address or passwords against the database.

Some password managers support password checks; my favorite tool, KeePass, supports this so that you can check all passwords against the database locally to reveal accounts that need password changes as you should consider any leaked password as compromised.

Password Checkup by Google

password checkup

Google's Password Checkup solution is available as a Chrome extension. It works only with the integrated password manager of the Chrome browser and not if you use third-party password managers such as LastPass or 1Password.

Password Checkup uses a different system when it comes to informing users about unsafe credentials.

It checks the password that is used to sign in to accounts on the Internet when sign-ins happen against a database of more than 4 billion passwords.

password checkup extension google

Google maintains a list of leaked usernames and passwords in hashed and encrypted format, and adds new credentials to it whenever it becomes aware of them.

The company notes that the extension and system was designed with privacy in mind because of the sensitive nature of the data. The extension was designed to "never reveal [..] personal information to Google" and "prevent an attacker from abusing Password Checkup to reveal unsafe usernames and passwords".

Password Checkup sends an hashed and encrypted copy of the username to Google when users sign in to sites. Google using blinding and private information retrieval to search the database of unsafe credentials; the final check that determines whether the username or password was exposed in a data breach happens locally according to Google.

The browser extension display actionable information if the username or password was found to have leaked online. Users are asked to change the password right then and there but it is also possible to ignore the findings for specific sites.

Google plans to refine the extension in the coming months. You can check out the post on the Google Security blog for additional information.

Closing Words

Password Checkup uses a different approach to the majority of password leak checkers out there. Username and password are only checked if the user signs in to sites. While that takes some of the stress involved in having to change passwords on dozens or even hundreds of sites, it could mean that a user never becomes aware of credential issues or only after a prolonged period.

Additionally, since Google uses its own set of data, it is possible that a leaked password or username is not found in Google's database but in Have I Been Pwnds or others on the Internet (and vice versa).  A quick test showed that Google did not detect breaches for some accounts while Have I Been Pwned did.

Google could solve some of the issues of the extension by adding an option to it to check all stored usernames and passwords against its database of leaked credentials.

Now You: What is your impression of Password Checkup so far?

Summary
software image
Author Rating
1star1star1star1stargray
4 based on 3 votes
Software Name
Password Checkup
Software Category
Browser
Landing Page
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. ShintoPlasm said on February 5, 2019 at 10:08 pm
    Reply

    “More of your data, stupid user, moar! Moaaarr!”

    1. Anonymous said on February 6, 2019 at 12:22 pm
      Reply

      Since “it works only with the integrated password manager of the Chrome browser”, they have all that data already anyway

  2. Anonymous said on February 5, 2019 at 10:46 pm
    Reply

    They say that this extension sends to Google as telemetry some browsing data (“the web domains involved”).

  3. Anonymous said on February 6, 2019 at 3:50 am
    Reply

    Don’t worry, Google and the Five Eyes will keep your login names, passwords, and finances safe. It’s not like with that information sent overseas to Five Eyes partners foreign agents would have the ability to access any of your accounts at any time. Or who knows where else your data will wind up?

    (sarcasm)

  4. Steve said on February 6, 2019 at 7:08 am
    Reply

    Google already sucks what it wants from Chrome.

    In theory it should add a layer of protection additional to haveibeenpwned email check.

    Number me User 490 on a trial basis.

  5. Anonymous said on February 6, 2019 at 7:19 am
    Reply

    I don’t understand how to install an extension with Ungoogled Chromium? Please help.

  6. supergirl said on February 6, 2019 at 8:18 am
    Reply

    I have Zero trust in Google.
    ’nuff said….

  7. Mikolaj said on February 6, 2019 at 10:13 am
    Reply

    Will it work when LastPass is installed and auto-populates the password fields?

  8. virus said on February 6, 2019 at 2:32 pm
    Reply

    Typical google fail:

    Chrome-Add-on: Password Checkup transmits domain name
    ( German Blog )

    https://www.kuketz-blog.de/chrome-add-on-password-checkup-uebermittelt-domainname/

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.

Be polite: we do not allow comments that threaten or harass, or are personal attacks. Please leave politics and religion out of discussions!