Chrome Will Automatically Scan Your Passwords Against Data Breaches - WIRED, Wired

Google’spassword checking featurehas slowly been spreading across theGoogleecosystem this past year. It started as the “Password Checkup”extensionfor desktop versions of Chrome, which would audit individual passwords when you entered them, and several months later it was integrated intoevery Google accountas an on-demand audit you can run on all your saved passwords. Now, instead of a Chrome extension, Password Checkupis being integratedinto the desktop and mobile versions of Chrome

ARS TECHNICA

This story originally appeared onArs Technica, a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED’s parent company, Condé Nast.

All of these Password Checkup features work for people who have their username and password combos saved in Chrome and have them synced to Google’s servers. Google figures that since it has a big (encrypted) database of all your passwords, it might as well compare them against a 4-billion-strong public list of compromised usernames and passwords that have been exposed in innumerable security breaches over the years. Any time Google hits a match, it notifies you that a specific set of credentials is public and unsafe and that you should probably change the password.

The whole point of this is security, so Google is doing all of this by comparing your encrypted credentials with an encrypted list of compromised credentials. Chrome first sends an encrypted, 3-byte hash of your username to Google, where it is compared to Google’s list of compromised usernames. If there’s a match, your local computer is sent a database of every possibly matching username and password in the bad credentials list, encrypted with a key from Google. You then get a copy of your passwords encrypted with two keys — one is your usual private key, and the other is the same key used for Google’s bad credentials list. On your local computer, Password Checkup removes the only key it is able to decrypt, your private key, leaving your Google-key-encrypted username and password, which can be compared to the Google-key-encrypted database of bad credentials.Google saysthis technique, called “private set intersection,” means you don’t get to see Google’s list of bad credentials, and Google doesn ‘ t get to learn your credentials, but the two can be compared for matches.

Building Password Checkup into Chrome should make password auditing more mainstream. Only the most security-conscious people would seek out and install the Chrome extension or perform the full password audit atpasswords.google.com, and these people probably have better password hygiene to begin with. Building the feature into Chrome will put it in front of more mainstream users who don’t usually consider password security, which are exactly the kind of people who need this sort of thing. This is also the first time password checkup has been available on mobile, since mobile Chrome still does not support extensions (Google plz).

Google says, “For now, we’re gradually rolling this out for everyone signed in to Chrome as a part of our Safe Browsing protections. ” Users can control the feature in the “Sync and Google Services” section of Chrome Settings, and if you’re not signed into Chrome, and not syncing your data with Google’s servers, the feature won’t work.

With Password Checkup being integrated into Chrome, the extension is not really useful anymore.The Web versionis still great as a full password audit for all your passwords stored by Google, and now the version built into Chrome will continually check your passwords as you enter them.

This story originally appeared onArs Technica.