Google announced the release of the Password Checkup Chrome extension designed to keep an eye on current data breaches and announce its users if their accounts have been impacted by recent security breaches.
While Google already resets passwords of user accounts who might have been affected by third-party breaches as part of an effort to limit the potential security impact on its users’ accounts, this feature is limited only to Google accounts.
The new Password Checkup Chrome extension was developed to expand Google’s data breach protections to cover all other accounts a user might use to log into other websites and apps.
After Password Checkup is installed in Chrome, it will automatically warn the user and suggest a password change whenever it detects that the username and password combination used on the current site is one of over 4 billion credentials Google knows to have been previously compromised in data breach events.
While the user’s account details are sent to Google’s servers, the search giant “developed privacy-protecting techniques with the help of cryptography researchers at both Google and Stanford University” to make sure that no one, including Google employees, can see those accounts’ details.
To be more exact:
Password Checkup needs to query Google about the breach status of a username and password without revealing the information queried. At the same time, we need to ensure that no information about other unsafe usernames or passwords leaks in the process, and that brute force guessing is not an option. Password Checkup addresses all of these requirements by using multiple rounds of hashing, k-anonymity, private information retrieval, and a technique called blinding.
The blinding technique used by Google to further secure account details is a method through which a service provider can perform a service for a client in an encrypted form without knowing either the original input or the actual output.
As detailed on Password Checkup’s Chrome Web Store entry, “It never reports any identifying information about your accounts, passwords, or device. We do report anonymous information about the number of lookups that surface an unsafe credential, whether an alert leads to a password change, and the domain involved for improving site coverage.”
Password Checkup is currently available in the Chrome Web Store as an extension for Chrome, while more information on how to use it or toggle it on or off is available on the “Protect accounts that have unsafe passwords” Google support page.
Google is not the first one to provide this kind of service. Mozilla introduced their Firefox Monitor platform on September 25, 2018, a service which uses Troy Hunt’s “Have I Been Pwned” database of email addresses affected by data breaches.
The difference between Google’s Password Checkup and Firefox Monitor is that the latter will notify you of a breach that contained your email if the website has been breached during the past 12 months. Therefore, you will not know your account has been part of a breach until you visit the affected website.
However, Password Checkup will let you know that something’s wrong when you try to login to a site with a specific user name and password combination that was compromised.