In the wake of the Collections data breaches that have exposed billions of user email addresses and passwords, the need to keep your online account credentials safe has become even more dire. In a step toward improving account security, Google has released Password Checkup, a plugin for Chrome that notify users if their accounts have been compromised.
The way it works is simple: whenever you enter your username and password, Password Checkup will compare them against a database of known vulnerable credentials. If Password Checkup finds a match, it will notify the user. The plugin will check ALL account logins, not just access to Google services, so you can rest easy knowing that your online activity is properly protected.
Google stresses that Password Checkup notifications are actionable rather than just informative, and users will be prompted to take appropriate steps (such as updating passwords) if a vulnerability is found. To prevent notification fatigue, Password Checkup will ignore outdated passwords that have already been updated or particularly weak passwords like ‘123456’ unless they appear in a data breach. Password Checkup will only alert the user if both username and password appear in their breach database, as that is when accounts are most vulnerable.
Google has taken steps to ensure that they are never in possession of the usernames and passwords collected by Password Checkup; a cryptographic technique called ‘blinding’ is used to allow the plugin to process your data without Google having visibility to it. The plugin is designed to prevent hackers from exploiting it, and any reported statistics (including the number of lookups that reveal unsafe credentials, whether an alert leads to a password change, the domain name, etc) are meant to be confidential.
Password Checkup is available now. This is still an early release of the plugin, and Google will continue to make refinements in the coming months to improve site compatibility and field detection.
A major factor in securing your online accounts is knowing when they might be vulnerable. Nodal has previously recommended sites like HaveIBeenPwned and the Hasso-Plattner Institute to check credentials for vulnerabilities, and Password Checkup seeks to automate this process and provide immediate notification if your accounts are compromised.
For Google’s official announcement on the plugin and its functionality, check out the Google Security Blog. If you have further questions about securing your online accounts or whether your credentials may be vulnerable, contact Nodal!