Google Password audits all your passwords to reveal weak, reused or compromised passwords
Google Password, an online service that stores passwords of user accounts, may now audit all stored passwords to reveal weak, reused or compromised passwords to the account owner.
The company announced the new feature on October 2, 2019 on the official Safety & Security blog alongside other privacy improvements to various Google-owned services and products.
Passwords get synchronized between Chrome installations using the online password manager if the user signs-in to Google Chrome and enables sync functionality in the browser.
The new password auditing functionality is already available. Here is how you start an audit of your saved passwords using the Google Password manager:
- Load https://myaccount.google.com/security in your browser of choice. If you are not signed-in to a Google account you are asked to do so. The page that opens is the Security management page of the account.
- Scroll down on the page until you get to the "signing in to other sites" section at the bottom of the page. Select the "Password Manager" option there.
- The page that opens lists all saved passwords and a "password checkup" option at the top. Select the "check passwords" link underneath it.
- The next page reveals what the tool does (checks the security of stored passwords). Activate the "check passwords" button on the page.
- You are asked to enter the account password again. Click on Next once you have done so.
- Google analyzes the passwords and groups passwords into compromised, reused and weak lists on the results page.
Green indicates that no issue has been found, other colors indicate issues that need your attention. The screenshot above shows that two weak passwords were identified by Google.
A click on the down arrow next to the entry displays the accounts and an option to change the password for each of the accounts. You may click on the menu icon next to an entry to display options to view the password, update the saved password, or delete it.
The change password links opens the linked URL; you have to figure out how to change the password on the site manually at that point.
Google may not recognize that the password changed if you don't use Chrome; you need to use the manual update password option in that case to get it to update.
Chrome password management improvements
Google published a Password Checkup extension for the company's Chrome browser in February 2019 designed to inform users about password related issues.
The tool checks passwords when they are used against a database of leaked (and thus potentially compromised) passwords. Users are informed if passwords that they use are found in the database and encouraged to change these.
In August 2019, Google announced that it would integrate the password checker directly in the Chrome web browser.
Closing Words
Google is not the only browser maker that is improving password management and security capabilities. Mozilla launched Firefox Monitor in 2018 as a way to receive alerts about breaches and has plans to update the built-in password manager as well.
Options to check passwords and email addresses against leak databases are also available independently.
Now You: how do you manage passwords and keep an eye on them?
I don’t think I need Google or any other service to tell me if my passwords are strong. At this point, users should be able to understand basic security, including password choice. If they still use weak passwords you can’t fix stupidity.
I use KeePass to manage passwords. I would never trust the web browser itself and especially not Google! I’ve actually moved everything I can away from them since numerous insiders have come forward about their heavy bias and manipulation of what you see in their search engine and on YouTube! I refuse to support them in any way anymore, they’re evil!
Google already collects too much information about us. Giving it access to our passwords would be a big mistake. I don’t even let Google peak inside my smartphone. I’ve installed /e/ OS, which is android based but totally degoogled. It doesn’t send data to Google. Its open soure, done by e foundation,
Giving Go Ogle access to one’s passwords, even in “encrypted” form, seems to me to be a very, very bad idea…
Keepass. And stop trusting Google, you all gave your lifes to him, and some day it will eat you.
“how do you manage passwords and keep an eye on them?”
I have to manage a ton of passwords (around 100). I currently use UPM (universal password manager) to manage them. This is an Android app, but is entirely offline. I have an automated backup system that copies the entire contents of my phone to my backup server daily, so that I won’t lose my passwords should I flush my phone down a toilet or something.
I do not use password managers that are tied to browsers, nor anything that stores my passwords in the cloud. This means that I manually look up and type in passwords when needed. It’s less convenient, but more secure — and I prioritize security over convenience.
In practice, it’s not so bad, though. I use four of the passwords much more than the others, and for those four, manually entering them means that it only takes a couple of days after each password change before I have them set in my muscle memory.
I don’t scan my passwords though things like HIBP, though, primarily because it’s too much work. Also, it’s of minimal value to me since I change my important passwords reasonably frequently anyway (and they’re all randomly generated).
The password checkup extension used techniques like blinding and sending only hashes to avoid transmitting sensitive information to Google about passwords.
Does this work the same way ? Are passwords only decrypted locally in the browser using the Google account password, and is only non sensitive information sent for checking outside of the browser ? I can’t find an answer in your article or on the Google announcement page. And they are not the type of company we should trust on these matters without even asking them the question.
Even if it works like that… I don’t think it’s clever to send non Google passwords to Google, even in encrypted form. I still haven’t found an answer on whether Google can ever access the Google account password that would allow them to decrypt the synced non Google passwords for themselves. And they can certainly access it at least by sending targeted malicious javascript on their own sites, which is much harder to audit systematically than malicious software code. And even if they can’t, we shouldn’t bet on the inability of Google or their police friends to decrypt them anyway using workarounds once it’s stored in their closet.
That’s a good question and I have to admit that I don’t know the answer to that as I could not find information on Google’s website about it. My guess is that Google compares hashes only.
I prefer not to use any of the password managers in browsers though.
Not using browser password managers is a really good idea.
I read that a study of passwords stolen by hackers and stored in a cache of same showed that the majority of those passwords came from browser password managers.
As for Google, keep in mind that it was created with the assistance of the CIA. Put “CIA made Google” in a search engine and the article should come up first or second in the results – a meticulously researched piece of journalism. The CIA made Google to do the sort of social monitoring and control that it couldn’t do legally itself.