Chrome may soon check saved passwords for weaknesses
Most web browsers come with options to save account information, usually username and password, when users sign-up for new services or sign-in to a service.
Google's Chrome web browser and other Chromium-based browsers are no exception to that. Google started to integrated a password checker in the company's Chrome browser back in 2019 to alert users about passwords founds in leaks. The company released a Password Checkup extension initially but decided to integrate the functionality into Chrome natively.
The upcoming release of Google Chrome 87 improves the functionality further if everything goes according to plan. Google has integrated options to check for weak passwords in the latest Chrome Canary version. Chrome Canary is the cutting edge development version of Google Chrome.
For now, it is necessary to enable the feature on Chrome's experimental flags page. Note that the new feature requires that you sign-in to a Google Account in Chrome as you won't be able to use it otherwise.
Here is how you enable the weak password check feature in Chrome:
- Make sure you run at least Chrome 87. You can check that by loading chrome://settings/help.
- Load chrome://flags/ in the web browser's address bar.
- Search for "passwords weakness check". You may also load chrome://flags/#passwords-weakness-check directly if you prefer that.
- Set the flag to Enabled.
- Restart the Chrome browser.
The feature is available in all desktop versions of Google Chrome but not on Android or iOS.
To run a check for weak passwords in Chrome, do the following:
- Load chrome://settings/passwords in the browser's address bar to open the Password settings and interface.
- Active the "check passwords" button in the interface.
Chrome checks all stored passwords and alerts you about compromised or weak passwords. The browser suggests to change compromised or weak passwords immediately.
Google does not reveal information about the algorithm that it uses to determine whether a password is weak. Chrome may also display alerts to the user when passwords are used actively and detected as weak, similarly to how Chrome warns users if compromised passwords are used in the web browser.
Closing Words
Users who store passwords in the web browser may soon be alerted about weak passwords next to compromised passwords; that is a good thing as it may help them improve password security. Downside to Google's implementation is the account requirement. Not everyone signs-in to the browser and many users don't want to; restricting the password checkup feature to signed-in accounts limits the useful functionality.
Now You: Password checks in browsers, yay or nay? What is your take on this?
“Our users are overloaded with services, we need more services!”
No, I don’t trust ANY browser. Except for syncing unimportant accounts (like, who has those?), putting passwords in a text file is more secure.
Or just listing them here:
1. pwd
2. password
3. pwd1
4. password1
5. etc
Google’s not even trying to be sneaky any more.
If you browser has to tell you that you picked a weak password, then maybe it is too late. I mean, most probable it isn’t the first password you used, and surely if you have this bad habit it has been happening for years. So, with all the database breaches and millions of records exposed, think what is more reasonable: trusting that Chrome will save you or changing all your passwords now and don’t bet on it?
The code source on the password software is closed?
Not that I use Chrome as I consider it spyware, but nay on browser password checks. I don’t need big brother looking over my shoulder to check their strength. I don’t store them in the browser anyway instead use KeePass.
As to Google, kicked them to the curb a year ago (switched to ProtonMail), the only service of theirs I use anymore is occasionally maps.
” I don’t store them in the browser anyway instead use KeePass”.
Good idea avoiding Chrome. But of course nothing is 100% safe..
“Exploiting KeePassRPC – SBA Student finds Vulnerability”
https://www.sba-research.org/2020/08/03/exploiting-keepassrpc-sba-student-finds-vulnerability/
@Rob.G
Thanks for the info. The exploit requires the KeePassRPC add-on is installed which I don’t have as I make a point of not installing any add-ons to reduce the attack surface of the browser. But also because I’ve yet to really find a need for them.
Instead once the KeePass database is unlocked I use the copy function (CTRL+B for username and CTRL+C for password) then ALT+Tab to the browser and paste (CTRL+V) into the appropriate field (KeePass then automatically clears them from the clipboard after 12 seconds). It’s more work than if I were to use the add-on but as I’ve said here many times it’s the ol’ axiom “Security is inversely proportional to convenience.â€.
Chrome, an ideal browser for lemmings. Download NOW!
Which mainstream browser isn’t? None of them respect – let alone empower – users.
Very negative. Big Brother is watching you. If Google wants to do something like this, a user should be able to opt out of it, and there should be a hard option to ensure that Google has no access to any users passwords without express permission from the user.
I’m actually shocked that you seem to think limiting this to users with signed in accounts is a bad idea (if that what ‘downside’ means). I don’t use Chrome for privacy reasons, but I do use certain Google services (mainly Maps) because I find them useful. However, I only sign in to my account on rare occasions (mainly when I want to tinker with something in it or pretend to myself that by deleting stored data I am actually keeping data from Google), and I sign right out when I am done.
If you use the built-in password manager:
– they will have all your passwords (hashed or encrypted does not matter) in their database and they will promise you (again) that it won’t be sold (again)…only with a court order and for some $.
– 3 letters agencies don’t need to hassle with MItM or hacking services anymore they collect it from a central source “legally”.
It is only for your safety of course.