Google's New Chrome Extension Finds Your Hacked Passwords

  • MORE

Google has just rolled out a new Chrome browser extension that warns you if a username-password combination has been compromised in a data breach.

shutterstock 575551330

 

Called Password Checkup, the extension is available now, although Google warns that it's still a work in progress. Password Checkup compares the credentials you input into any website against a database of four billion known compromised credential sets and lets you know if your username-password combo is no longer good.

So if you sign into Acme.com with the username "roadrunner@gmail.com" and the password "BeepBeep", Password Checkup will send an encrypted version of those credentials over to its database.

If the the roadrunner@gmail.com/BeepBeep combo is among the four billion hacked sets of credentials, you'll get a big red warning that "your password for www.acme.com is no longer safe due to a data breach," and that you should change your password. If not, you'll be reassured that everything is good.

MORE: Best Password Managers

Google told Wired's Lily Hay Newman that its database is not the same as the Have I Been Pwned database of six billion compromised credential sets maintained by Australian security researcher Troy Hunt. Yet there's bound to be some overlap between the two.

There's another big difference: Have I Been Pwned lets you check passwords by themselves, and email addresses by themselves, but never both at the same time. That's because Hunt doesn't want Have I Been Pwned to be used by identity thieves to check whether a specific email address/password combination is valid.

Otherwise, anyone could try to "brute force" Have I Been Pwned by running, say, the 1,000 most commonly used passwords against a list of known or generated email addresses.

Google's Password Checkup does check both credentials at the same time, which makes us a little worried that the browser extension will make unsafe credentials even less safe. (Using it to check your own passwords should be perfectly fine.)

An official Google blog posting says the company "designed Password Checkup to prevent an attacker from abusing Password Checkup to reveal unsafe usernames and passwords."

We haven't had a chance to stress-test Password Checkup to see if those protections against brute-forcing work. But someone else certainly will.

This post originally appeared on Tom's Guide.

Add a comment