Google has released a new Chrome browser extension called “Password Checkup” that automatically tells you when your passwords have been compromised.
The new plugin runs in Chrome while you are browsing and automatically checks login details you enter on all sites against a database of around four billion known compromised passwords. If the plugin finds a match it will warn you.
According to plugin’s overview page, “Wherever you sign-in, if you enter a username and password that is no longer safe due to appearing in a data breach known to Google, you’ll receive an alert.”
Google says that the plugin was developed with privacy in mind and never reports any identifying information about your accounts, passwords, or device. It should be noted that the plugin does report anonymous information about “the number of lookups that surface an unsafe credential, whether an alert leads to a password change, and the domain involved for improving site coverage.”
The company said in a blog post that it “designed Password Checkup to prevent an attacker from abusing Password Checkup to reveal unsafe usernames and passwords.”
The plugin was designed jointly with cryptography experts at Stanford University to ensure that Google has no way of seeing your data and that any breach data stays safe from wider exposure.
According to Wired, Google says that it has never bought stolen credentials but does accept donations of stolen credentials from researchers.
Q: Can Google see your login credentials?
A: No, the Password Checkup tool uses a #privacy-oriented implementation that keeps all your info private and anonymous by encrypting it before checking them against an online database of 4 billion (and growing…) leaked credentials. pic.twitter.com/fjl8luIQuL
— The Hacker News (@TheHackersNews) February 5, 2019
Elie Bursztein, who leads the anti-abuse research team at Google was quoted by Wired as saying:
“We’ve reset something like 110 million passwords on Google accounts because of massive breaches and other data exposures.
“The idea is, can we have a way to do it everywhere? It works in the background and then after 10 seconds you may get a warning that says ‘hey, this is part of a data breach, you should consider changing your password’. We want it to be 100 percent if we show it to you you have to change it.”