Google security for many years has been tight against password reuse to keep its users accounts safe from hijacking. But with the recent introduction of Password Checkup, Google has tuned these safety security measures several notches higher.
Google in their own words on the new Password Checkup tool:
“We want to help you stay safe not just on Google, but elsewhere on the web as well. This is where the new Password Checkup Chrome extension can help. Whenever you sign in to a site, Password Checkup will trigger a warning if the username and password you use
Why you should use Password Checkup
Unfortunately on the internet today popular companies and big websites suffer huge security breaches as a result of a cyber attack. Which many times leave tens of thousands of account credentials exposed to the public.
As soon as these leaked credentials (credentials dump) hit the public domain, cyber crooks immediately swing into action downloading the credential files and trying the password and username combinations on thousands of other accounts in the hopes of finding a case of password reuse.
So if you were to reuse the same username and password across many websites, then you could just get hacked on these other websites and get your accounts hijacked.
This is what the Google Password Checkup Chrome extension is aiming to combat, to warn you if malicious hackers already know your current password.
Set up Google’s Password Checkup in 4 easy steps
To get Google Password Checkup up and running:
1. Install the extension on Chrome.
2. Ensure Password Checkup icon appears on your browser bar.
3. Get alerted when you sign-in with a previously breached username and password.
4. Immediately take action to change your password to prevent account hacking or hijacking.
NOTE: As at the time of publishing this post I wasn’t able to get the extension to warn me about a breached password even though I had created some test accounts with known previously breached passwords, but not breached usernames. When I am able to do so I’ll update this post with my findings and
Privacy concerns of Password Checkup
But Google has revealed that Password Checkup was designed with cryptography experts at Stanford University to ensure Google never learns your username or password as the extension queries Google data center about the breach status of a credential.
In other words, Google cannot know your password or username at any point in the Password Checkup checking cycle.
Additionally, you could clear up any and all stored information about unsafe passwords and previously ignored site that Password Checkup extension has gathered by clicking “Advanced settings” > “Clear extension data”
Password Checkup is not the first time we would see something of this nature. Sites like HaveIbeenPwned have been aggregating credentials dumps and helping users know if their password or email has been leaked in a security breach.
Also some password managers like Dashlane have site breach alerts baked into their password manager software which performs similar functions.
Overall, I would recommend Password Checkup to anyone who takes their online security seriously (and everyone should).
Have any questions? Ask me in the comments and don’t forget to share this post with friends you know would need this kind of information. And I think everybody does.