Chrome may soon check saved passwords for weaknesses

Martin Brinkmann
Aug 23, 2020
Google Chrome

Most web browsers come with options to save account information, usually username and password, when users sign-up for new services or sign-in to a service.

Google's Chrome web browser and other Chromium-based browsers are no exception to that. Google started to integrated a password checker in the company's Chrome browser back in 2019 to alert users about passwords founds in leaks. The company released a Password Checkup extension initially but decided to integrate the functionality into Chrome natively.

The upcoming release of Google Chrome 87 improves the functionality further if everything goes according to plan. Google has integrated options to check for weak passwords in the latest Chrome Canary version. Chrome Canary is the cutting edge development version of Google Chrome.

For now, it is necessary to enable the feature on Chrome's experimental flags page. Note that the new feature requires that you sign-in to a Google Account in Chrome as you won't be able to use it otherwise.

chrome passwords weakness check

Here is how you enable the weak password check feature in Chrome:

  1. Make sure you run at least Chrome 87. You can check that by loading chrome://settings/help.
  2. Load chrome://flags/ in the web browser's address bar.
  3. Search for "passwords weakness check". You may also load chrome://flags/#passwords-weakness-check directly if you prefer that.
  4. Set the flag to Enabled.
  5. Restart the Chrome browser.

The feature is available in all desktop versions of Google Chrome but not on Android or iOS.

To run a check for weak passwords in Chrome, do the following:

  1. Load chrome://settings/passwords in the browser's address bar to open the Password settings and interface.
  2. Active the "check passwords" button in the interface.

Chrome checks all stored passwords and alerts you about compromised or weak passwords. The browser suggests to change compromised or weak passwords immediately.

Google does not reveal information about the algorithm that it uses to determine whether a password is weak. Chrome may also display alerts to the user when passwords are used actively and detected as weak, similarly to how Chrome warns users if compromised passwords are used in the web browser.

Closing Words

Users who store passwords in the web browser may soon be alerted about weak passwords next to compromised passwords; that is a good thing as it may help them improve password security. Downside to Google's implementation is the account requirement. Not everyone signs-in to the browser and many users don't want to; restricting the password checkup feature to signed-in accounts limits the useful functionality.

Now You: Password checks in browsers, yay or nay? What is your take on this?

Chrome may soon check saved passwords for weaknesses
Article Name
Chrome may soon check saved passwords for weaknesses
Starting in Google Chrome 87, Chrome may include options to check saved and used passwords for weaknesses.
Ghacks Technology News

Previous Post: «
Next Post: «


  1. ULBoom said on August 24, 2020 at 4:04 pm

    “Our users are overloaded with services, we need more services!”

    No, I don’t trust ANY browser. Except for syncing unimportant accounts (like, who has those?), putting passwords in a text file is more secure.

    Or just listing them here:
    1. pwd
    2. password
    3. pwd1
    4. password1
    5. etc

    Google’s not even trying to be sneaky any more.

  2. Steve said on August 24, 2020 at 5:27 am

    If you browser has to tell you that you picked a weak password, then maybe it is too late. I mean, most probable it isn’t the first password you used, and surely if you have this bad habit it has been happening for years. So, with all the database breaches and millions of records exposed, think what is more reasonable: trusting that Chrome will save you or changing all your passwords now and don’t bet on it?

  3. NA said on August 23, 2020 at 7:51 pm

    The code source on the password software is closed?

  4. Mothy said on August 23, 2020 at 7:26 pm

    Not that I use Chrome as I consider it spyware, but nay on browser password checks. I don’t need big brother looking over my shoulder to check their strength. I don’t store them in the browser anyway instead use KeePass.

    As to Google, kicked them to the curb a year ago (switched to ProtonMail), the only service of theirs I use anymore is occasionally maps.

    1. Rob.G said on August 28, 2020 at 10:19 am

      ” I don’t store them in the browser anyway instead use KeePass”.

      Good idea avoiding Chrome. But of course nothing is 100% safe..

      “Exploiting KeePassRPC – SBA Student finds Vulnerability”

      1. Mothy said on August 31, 2020 at 3:24 pm


        Thanks for the info. The exploit requires the KeePassRPC add-on is installed which I don’t have as I make a point of not installing any add-ons to reduce the attack surface of the browser. But also because I’ve yet to really find a need for them.

        Instead once the KeePass database is unlocked I use the copy function (CTRL+B for username and CTRL+C for password) then ALT+Tab to the browser and paste (CTRL+V) into the appropriate field (KeePass then automatically clears them from the clipboard after 12 seconds). It’s more work than if I were to use the add-on but as I’ve said here many times it’s the ol’ axiom “Security is inversely proportional to convenience.”.

  5. Anonymous said on August 23, 2020 at 5:04 pm

    Chrome, an ideal browser for lemmings. Download NOW!

    1. Iron Heart said on August 23, 2020 at 5:53 pm

      Which mainstream browser isn’t? None of them respect – let alone empower – users.

  6. Herman Cost said on August 23, 2020 at 3:27 pm

    Very negative. Big Brother is watching you. If Google wants to do something like this, a user should be able to opt out of it, and there should be a hard option to ensure that Google has no access to any users passwords without express permission from the user.

    I’m actually shocked that you seem to think limiting this to users with signed in accounts is a bad idea (if that what ‘downside’ means). I don’t use Chrome for privacy reasons, but I do use certain Google services (mainly Maps) because I find them useful. However, I only sign in to my account on rare occasions (mainly when I want to tinker with something in it or pretend to myself that by deleting stored data I am actually keeping data from Google), and I sign right out when I am done.

  7. Stv said on August 23, 2020 at 11:11 am

    If you use the built-in password manager:

    – they will have all your passwords (hashed or encrypted does not matter) in their database and they will promise you (again) that it won’t be sold (again)…only with a court order and for some $.

    – 3 letters agencies don’t need to hassle with MItM or hacking services anymore they collect it from a central source “legally”.

    It is only for your safety of course.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.