Published on the 09/10/2019 | Written by Jonathan Cotton
Google aims to plug password leaks with browser-based hacked credential checker…
In the age of the data breach, it seems that everybody, everywhere has had their credentials accessed by a nefarious third party at some point. (Not convinced? Click here and despair).
Google’s decided to do something about it, releasing a new browser extension that helps you identify (and re-secure) accounts that have been affected by data breaches.
The result of a collaboration between cryptography researchers at Google and Stanford University, Password Checkup checks the strength and security of all of your saved passwords, tells you if we find they’ve been compromised, and gives you personalised, actionable recommendations when needed.
“Password Checkup is built from our Chrome extension launched earlier this year, which alerts you if your username or password has been compromised in a third-party data breach,” says Andreas Tuerk, Password Manager product manager.
Be horrified, then spend the day updating compromised passwords.
“The extension has been downloaded more than one million times, with nearly half of those users receiving a warning for a compromised password. Later this year, we’ll build Password Checkup technology directly into Chrome for everyone – so you get real time protection as you type your password without needing to install a separate extension.”
Google says Password Checkup has been designed to provide easily actionable alerts, avoid user fatigue and put user privacy first. All statistics reported, including the number of lookups that surface an unsafe credential, whether an alert leads to a password change, and the web domain involved for improving site compatibility, are anonymous.
“At a high level, Password Checkup needs to query Google about the breach status of a username and password without revealing the information queried,” says Google software engineer, Jennifer Pullman.
“At the same time, we need to ensure that no information about other unsafe usernames or passwords leaks in the process, and that brute force guessing is not an option. Password Checkup addresses all of these requirements by using multiple rounds of hashing, k-anonymity and private set intersection with blinding.
“While single-party private information retrieval (PIR) and 1-out-of-N oblivious transfer solve some of our requirements, the communication overhead involved for a database of over four billion records is presently intractable. Alternatively, k-party PIR and hardware enclaves present efficient alternatives, but they require user trust in schemes that are not widely deployed yet in practice. For k-party PIR, there is a risk of collusion; for enclaves, there is a risk of hardware vulnerabilities and side-channels.”
It all sounds very complicated, but from a user perspective things couldn’t be easier. To use Password Checkup, simply:
- Download the extension here: https://goo.gl/t25VAS
- Navigate to https://myaccount.google.com
- Navigate to ‘Security’
- Scroll down to ‘Signing into other sites”
- Select ‘Password Manager’
- Click ‘Check passwords’
- Be horrified, then spend the day updating compromised passwords
The functionality is currently available as an extension, but by December Password Checker should appear as an inbuilt Chrome feature.