Google today, for Safer Internet Day, released Password Checkup, a Chrome extension that will alert users if their password for any site they use has been compromised and will prompt them to change their password.
The extension works by running a query of a user’s website credentials against Google’s database of credentials it has collected from past credential leaks.
The service is underpinned by Google’s database of four billion credentials from past third-party data breaches that were subsequently dumped online.
It currently uses this database to check whether Google users have reused the same credentials for a Google account as those exposed in a third-party breach. In instances where it finds a match, it forces a password reset.
The Password Checkup extension is intended to broaden protections to Chrome users on sites beyond Google.
As Google explains, it hashes and encrypts a copy of compromised usernames and passwords it collects from public credential dumps.
With Password Checkup installed, every time a Chrome user logs into a non-Google website, the extension takes a copy of the user’s credentials, which are then hashed, encrypted and sent to Google.
Google then uses privacy-preserving techniques developed by Google and Stanford University researchers to search its entire database for a match, without revealing users’ account details.
The actual check to determine if a username or password was in a data breach happens on the user’s device, according to Google.
“At a high level, Password Checkup needs to query Google about the breach status of a username and password without revealing the information queried,” explain the team of researchers who developed the extension.
“At the same time, we need to ensure that no information about other unsafe usernames or passwords leaks in the process, and that brute force guessing is not an option. Password Checkup addresses all of these requirements by using multiple rounds of hashing, k-anonymity, private information retrieval, and a technique called blinding."
Google is planning on rolling out updates to the extension in coming months to improve site compatibility and password field detection.
The extension will send anonymous data to Google, including the number of lookups that discover an unsafe credential, whether an alert leads to a user changing their password, and the web domain involved for improving site compatibility.
Google also released five tips for users to keep their accounts secure. These include setting up a recovery number or email address to help if an account has been hijacked, avoiding password reuse and a using a password manager, keeping software and operating systems up to date, setting up two-factor authentication where available, and taking the company’s security checkup.
A security survey by Google and Harris Poll in February of 3,000 users found that 52 percent of people reuse the same password for multiple but not all accounts, while 35 percent use a unique password for each account, and 13 percent reuse the same password for all accounts.
It also found that only 24 percent of people use a password manager.