• December 26, 2019

Google Chrome Will Automatically Scan Your Passwords Against Data Breaches

Google Chrome Will Automatically Scan Your Passwords Against Data Breaches

Google Chrome Will Automatically Scan Your Passwords Against Data Breaches Ravensdale Digital

A data breach on a site or app exposed your password. Chrome recommends checking your saved passwords now.

Google’s password checking feature has slowly been spreading across the Google ecosystem this past year. It started as the “Password Checkup” extension for desktop versions of Chrome, which would audit individual passwords when you entered them, and several months later it was integrated into every Google account as an on-demand audit you can run on all your saved passwords. Now, instead of a Chrome extension, Password Checkup is being integrated into the desktop and mobile versions of Chrome 79.

All of these Password Checkup features work for people who have their username and password combos saved in Chrome and have them synced to Google’s servers. Google figures that since it has a big (encrypted) database of all your passwords, it might as well compare them against a 4-billion-strong public list of compromised usernames and passwords that have been exposed in innumerable security breaches over the years. Any time Google hits a match, it notifies you that a specific set of credentials is public and unsafe and that you should probably change the password.

The whole point of this is security, so Google is doing all of this by comparing your encrypted credentials with an encrypted list of compromised credentials. Chrome first sends an encrypted, 3-byte hash of your username to Google, where it is compared to Google’s list of compromised usernames. If there’s a match, your local computer is sent a database of every potentially matching username and password in the bad credentials list, encrypted with a key from Google. You then get a copy of your passwords encrypted with two keys—one is your usual private key, and the other is the same key used for Google’s bad credentials list. On your local computer, Password Checkup removes the only key it is able to decrypt, your private key, leaving your Google-key-encrypted username and password, which can be compared to the Google-key-encrypted database of bad credentials. Google says this technique, called “private set intersection,” means you don’t get to see Google’s list of bad credentials, and Google doesn’t get to learn your credentials, but the two can be compared for matches.

Read More

 




Privacy Preferences

When you visit our website, it may store information through your browser from specific services, usually in the form of cookies. Here you can change your Privacy preferences. It is worth noting that blocking some types of cookies may impact your experience on our website and the services we are able to offer.

Click to enable/disable Google Analytics tracking code.
Click to enable/disable Google Fonts.
Click to enable/disable Google Maps.
Click to enable/disable video embeds.
Our website uses cookies, mainly from 3rd party services. Define your Privacy Preferences and/or agree to our use of cookies.