Google’s new Password checkup extension checks for leaked credentials and informs whether they have been leaked before in a data breach.
In 2019, more than 20 million unique passwords among other credentials were leaked and available online for sale. This fact represents only one year since the advent of the internet and over the years although security has clearly increased, so have attacks.
Earlier if you happened to hear of such a breach, you would have to use an online service like Have I Been Pwned? to check if your credentials were a part of those. And that too for the security-conscious lot out there, many of us never did the effort to make even that very check.
But luckily, Google has stepped in for us with a new tool that automatically takes the encrypted login credentials that we enter and verifies if they may have been compromised by cross-checking from a central database.
The tool developed with the help of Stanford cryptography researchers is available through a Password checkup extension on Chrome Web Store and notifies users whenever it finds that the user has entered username or password that has been leaked before in a data breach.
As all credentials are checked in encrypted form in real-time, you can rest assured that Google cannot access your confidential data, at least that’s what Google claims.
By design, the Password Checkup extension ensures that Google never learns your username or password, regardless of whether you enable telemetry, but we still want to provide this option if users would prefer not to share this information, said Google in a blog post.
However, the data Google has collected from the extension’s use in one month is enough to give security researchers a headache. Compiled into a study, it gives us an insight into how despite being given warnings of compromised credentials, 26% of users continued to re-use their passwords on highly sensitive email accounts, particularly widespread on shopping and news sites among others.
While the reasons for continuing to use such credentials seems to be the classical human habit of not assigning enough importance to such a matter, other factors such as shared accounts also were a factor. For example, if 3 people use the same Netflix account, one of them may not change the password even if they knew it was compromised because it would cause difficulties for the other 2 people. Perhaps, this confirms the notion of humans being the easiest point to attack in cybersecurity.
To sum up, currently, the tool is only available as an extension. Nonetheless, reports indicate that Google soon intends to integrate it into Chrome 78 which will be released in October so that users do not have to install it manually. Moreover, an option will be likely available to also disable the feature in case someone may not want Google handling their data.