Anyone who has a presence on the internet is likely to be suffering from breach fatigue.
Data leaks are reported in the headlines on a daily basis, and users can feel so overwhelmed by the sheer number of breaches that they feel there’s little they can do to keep ahead of hackers. It can almost feel like a full-time job as you try to determine if your online accounts might be at risk from the latest hack and review your login credentials to ensure that you haven’t made the mistake of reusing the same password in multiple places.
Recent revelations like the discovery of the Collection #1 data set of approximately 800 million email addresses and tens of millions of passwords can make the problem seem monumental, even if many of the passwords may have been collected from breaches that took place years ago.
However, Google believes that technology can play its part to help better alert users who are at risk and reduce the chances of accounts becoming compromised through the phenomenon of “credential stuffing” or “password reuse” attacks.
Towards that end, the tech giant this week released an optional extension for the Google Chrome browser that will trigger a visual warning if it determines you are using a username/password combination that it knows to be unsafe.
The Password Checkup Chrome extension (available for free from Chrome’s extension web store here) watches as you enter your username and password on a website, and if it determines they have been exposed in a past data breach (even if that breach occurred at a different website), it displays an alert telling you to reset your password.
Wisely, the extension also suggests that if you use the same username and password for any other accounts, you should also reset your password there, too.
Here’s a snippet about the extension:
Password Checkup was built with privacy in mind. It never reports any identifying information about your accounts, passwords or device. We do report anonymous information about the number of look-ups that surface an unsafe credential, whether an alert leads to a password change, and the domain involved for improving site coverage. You can learn more about how Password Checkup works at https://support.google.com/accounts?p=password-checkup.
Google says that it doesn’t want to alert users unless absolutely necessary – to avoid fatigue setting in. With that in mind, don’t be surprised if the Password Checkup extension doesn’t alert you if you have made the mistake of using a weak password like “123456” or “password1.” What it’s looking for is the combination of your password *and* your username in a breach, as that poses a greater risk of exploitation.
At first glance, Google’s Password Checkup extension sounds similar to Mozilla’s Firefox Monitor feature that advises web surfers to check if their accounts might be at risk when they visit sites that have suffered a breach.
But Google’s Chrome extension goes one significant step further, actually *examining* your login credentials (username/email address and password) as they are entered on a site and seeing if they match details that they know have been previously exposed.
This, unsurprisingly, may make some users cautious. After all, would you feel comfortable knowing that a browser extension was snooping upon your passwords? Even if Google doesn’t have malice in mind, do you feel confident that they will have done their job properly to ensure that the data doesn’t fall into the wrong hands?
Google’s engineers clearly anticipated this concern and say they have partnered with encryption experts to ensure that no sensitive data was ever transmitted to Google:
Password Checkup was designed jointly with cryptography experts at Stanford University to ensure that Google never learns your username or password, and that any breach data stays safe from wider exposure.
More details on the steps Google took to ensure that Password Checkup was able to query the breach status of a username and password without revealing the credentials queried can be found in this company blog post.
It should go without saying that although Password Checkup may be useful to some internet users, it’s not a replacement for investing in a good password manager and signing-up for a breach notification service such as HaveIBeenPwned.