Safer Internet Day is officially today, but Google is spending the entire week discussing security and launching new features. The first is a Password Checkup Chrome extension that will advise users to reset credentials breached on third-party sites, while Cross Account Protection extends first-party tools to re-secure breached Google Sign In apps.
Data breaches of emails and passwords are such a common occurrence that security researchers often create websites where users can see if their credentials are known to hackers. The people who create these sites are often trusted in the industry, but there is still the occasional worry about entering account details into a third-party site.
Google is now offering its own first-party solution with Password Checkup. The company already automatically resets Google Account passwords if they are exposed in a third-party data breach due to password reuse. The new Chrome extension brings this same level of protection to all services on the web.
If we detect that a username and password on a site you use is one of over 4 billion credentials that we know have been compromised, the extension will trigger an automatic warning and suggest that you change your password.
After installing the Chrome desktop extension, Password Checkup will appear in the browser bar as a green shield. As users are logging in with unsafe credentials on third-party services, a red Safe Browsing-like dialogue to prompt users to “Change your password” will appear as the icon turns bright read.
Google notes that Password Checkup was designed in a privacy-preserving manner alongside cryptography researchers at Stanford University.
We designed Password Checkup with privacy-preserving technologies to never reveal this personal information to Google. We also designed Password Checkup to prevent an attacker from abusing Password Checkup to reveal unsafe usernames and passwords. Finally, all statistics reported by the extension are anonymous. These metrics include the number of lookups that surface an unsafe credential, whether an alert leads to a password change, and the web domain involved for improving site compatibility.
To ensure transparency, Google has a full blog post explaining the technical details of the privacy preserving protocol, including how it “never reports any identifying information about your accounts, passwords, or device.”
Google last year introduced tools to help users regain access to compromised accounts. These protections are now being extended to third-party accounts that use Google Sign In.
Cross Account Protection helps address this challenge. When apps and sites have implemented it, we’re able to send information about security events—like an account hijacking, for instance—to them so they can protect you, too.
Working with major tech companies like Adobe and the standards community, Google will share security events of known breaches so that those services can secure accounts as necessary.