Google has released a Chrome extension that automatically detects if your entered password has ever been leaked. “Password Checkup” was announced on 5 February, and functions as your silent security assistant as you surf the web.
There have been several announcements of password leaks over the past few weeks. “Collection #1” and a week later “Collection #2-5”, for instance, leaked a total of nearly 3 billion email addresses and passwords. These immense data dumps then circulate the internet, meaning your professional or personal email details could be in someone else’s possession.
You can check whether your email address has been leaked in any of the identified data dumps in several ways, such as via the site haveibeenpwned.com. The site, managed by cyber security expert Troy Hunt, runs your email address through a database of known leaks. It tells you if your email has ever been part of a leak, so you can change your password accordingly. However, like most people, you probably use one email address for many different web accounts, making it difficult and time-consuming to trace and adjust all passwords.
Google’s Password Checkup works in a similar way to haveibeenpwed.com, but doesn’t require your active input. It runs in the background and automatically checks whether the password that you have just entered has been leaked. If it is, it will let you know via a notification so you can prevent an account takeover. The database consists of roughly four billion usernames and passwords.
The method does raise some concerns about Google collecting your passwords. However, Google security and anti-abuse research scientist Kurt Thomas states that “Google never learns your username and password in the process.”
Also, the extensive database makes a data breach on Google’s part all the more dangerous. Still, Google’s own digital security is top-notch, especially for this kind of data. They collaborated with cryptographers at Stanford University to devise layers of security measures that scramble the database, providing very strong anonymity of the information. You can read more about the extension and the decryption here.
Password Checkup seems to be a convenient aid to your online security, for both professional and private use. Combining the service with a password manager that remembers and auto-fills your (preferably randomly generated) passwords will significantly decrease the chances of finding your details in the next data dump.