Earlier this year, Google created “Password Checkup,” a tool that checks if any of your passwords have been revealed in an online data breach, as an extension for desktop Chrome. In the near future, the leak detection part of Password Checkup will become a default feature of Google Chrome instead of an optional extension.
For years, services like Have I Been Pwned have offered insight into whether or not your password has ever been compromised in a data breach. Google took things a step further by offering the Password Checkup extension that automatically checks your password’s safety when logging in to various web services.
However, there are two key flaws with developing it as a browser extension. The first is that it’s still an opt-in feature, meaning you have to actively seek out password security, which many are not willing to do or even know they need to do. The second and more glaring omission is that — unlike other mobile browsers — Chrome for Android does not support extensions.
Fortunately, according to the Chromium Bug Tracker, Google is looking to change things by integrating Password Checkup’s leak detection directly into Chrome. While the design documents are currently private, there are enough code changes available to piece together how it should work.
Just like the extension, Chrome will send an encrypted version of your username to the Password Checkup service, and the service will respond with an encrypted version of matching leaked usernames and passwords. This is used by your device to perform a check verifying whether or not that password has been compromised, without sharing that information with Google.
For those who, for whatever reason, do not want Google checking the safety of your passwords, it will also be possible to disable these Password Checkup features. Primarily, this is being done for the sake of enterprise customers, but the setting will likely also be available for the rest of us.
Building Password Checkup into Chrome also gives it access to the passwords synced to your Google Account. As these are passwords that you already trust Google with, Password Checkup is able to use Google’s servers to do a much faster check to see if any of them have been compromised.
Google currently has the bug for building Password Checkup into Chrome tagged to be completed for Chrome 78, which is due to release in late October. That being the case, we should see the integration arrive in Chrome Canary and Dev builds in the near future.