Google publishes Password Checkup extension for Chrome

Martin Brinkmann
Feb 5, 2019
Updated • Feb 5, 2019
Google Chrome, Google Chrome extensions
|
9

Password Checkup is a new browser extension for the Google Chrome web browser by Google that informs users about unsafe usernames or passwords.

Internet users have some options when it comes to testing the strength of passwords and finding out if any of their accounts were included in leaks.

The Have I Been Pwned database is probably the biggest public database of leaked password; it consists of more than 6.4 billion accounts, and you may check any account email address or passwords against the database.

Some password managers support password checks; my favorite tool, KeePass, supports this so that you can check all passwords against the database locally to reveal accounts that need password changes as you should consider any leaked password as compromised.

Password Checkup by Google

password checkup

Google's Password Checkup solution is available as a Chrome extension. It works only with the integrated password manager of the Chrome browser and not if you use third-party password managers such as LastPass or 1Password.

Password Checkup uses a different system when it comes to informing users about unsafe credentials.

It checks the password that is used to sign in to accounts on the Internet when sign-ins happen against a database of more than 4 billion passwords.

password checkup extension google

Google maintains a list of leaked usernames and passwords in hashed and encrypted format, and adds new credentials to it whenever it becomes aware of them.

The company notes that the extension and system was designed with privacy in mind because of the sensitive nature of the data. The extension was designed to "never reveal [..] personal information to Google" and "prevent an attacker from abusing Password Checkup to reveal unsafe usernames and passwords".

Password Checkup sends an hashed and encrypted copy of the username to Google when users sign in to sites. Google using blinding and private information retrieval to search the database of unsafe credentials; the final check that determines whether the username or password was exposed in a data breach happens locally according to Google.

The browser extension display actionable information if the username or password was found to have leaked online. Users are asked to change the password right then and there but it is also possible to ignore the findings for specific sites.

Google plans to refine the extension in the coming months. You can check out the post on the Google Security blog for additional information.

Closing Words

Password Checkup uses a different approach to the majority of password leak checkers out there. Username and password are only checked if the user signs in to sites. While that takes some of the stress involved in having to change passwords on dozens or even hundreds of sites, it could mean that a user never becomes aware of credential issues or only after a prolonged period.

Additionally, since Google uses its own set of data, it is possible that a leaked password or username is not found in Google's database but in Have I Been Pwnds or others on the Internet (and vice versa).  A quick test showed that Google did not detect breaches for some accounts while Have I Been Pwned did.

Google could solve some of the issues of the extension by adding an option to it to check all stored usernames and passwords against its database of leaked credentials.

Now You: What is your impression of Password Checkup so far?

Summary
software image
Author Rating
1star1star1star1stargray
3 based on 6 votes
Software Name
Password Checkup
Software Category
Browser
Landing Page
Advertisement

Previous Post: «
Next Post: «

Comments

  1. virus said on February 6, 2019 at 2:32 pm
    Reply

    Typical google fail:

    Chrome-Add-on: Password Checkup transmits domain name
    ( German Blog )

    https://www.kuketz-blog.de/chrome-add-on-password-checkup-uebermittelt-domainname/

  2. Mikolaj said on February 6, 2019 at 10:13 am
    Reply

    Will it work when LastPass is installed and auto-populates the password fields?

  3. supergirl said on February 6, 2019 at 8:18 am
    Reply

    I have Zero trust in Google.
    ’nuff said….

  4. Anonymous said on February 6, 2019 at 7:19 am
    Reply

    I don’t understand how to install an extension with Ungoogled Chromium? Please help.

  5. Steve said on February 6, 2019 at 7:08 am
    Reply

    Google already sucks what it wants from Chrome.

    In theory it should add a layer of protection additional to haveibeenpwned email check.

    Number me User 490 on a trial basis.

  6. Anonymous said on February 6, 2019 at 3:50 am
    Reply

    Don’t worry, Google and the Five Eyes will keep your login names, passwords, and finances safe. It’s not like with that information sent overseas to Five Eyes partners foreign agents would have the ability to access any of your accounts at any time. Or who knows where else your data will wind up?

    (sarcasm)

  7. Anonymous said on February 5, 2019 at 10:46 pm
    Reply

    They say that this extension sends to Google as telemetry some browsing data (“the web domains involved”).

  8. ShintoPlasm said on February 5, 2019 at 10:08 pm
    Reply

    “More of your data, stupid user, moar! Moaaarr!”

    1. Anonymous said on February 6, 2019 at 12:22 pm
      Reply

      Since “it works only with the integrated password manager of the Chrome browser”, they have all that data already anyway

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.