An in-depth look at Google’s latest password scanner

Feb 6, 2019 13:09 GMT  ·  By

The latest security update for Google Chrome isn’t a new browser-specific feature, but an extension called Password Checkup.

As you could figure out by simply reading the extension’s name, Password Checkup verifies your passwords to make sure the credentials haven’t been compromised.

To do this, the extension just looks into a large database of breaches and scans for any potential information that could match yours. If there’s a risk of your username and password being exposed to hackers, the browser displays a warning, instructing you to reset the credentials.

The process, however, is a lot more complex and it starts with Google creating the database of breaches in order to power the process of looking for potential risks for your own credentials.

Google says that whenever it becomes aware of such a breach, it stores a hashed and encrypted copy of the data, but at the same time, it creates an unencrypted, 2-byte hashed prefix to partition the database. The full hash is encrypted using a secret key, so while the data won’t be accessible, it can use it at a later time to look for potential credentials that may have been compromised.

Whenever you log in to a site, the Password Checkup extension looks at your data and creates a hashed and encrypted version of the username. This is sent to Google, while your full details are encrypted with a key that doesn’t leave your computer. Google says it doesn’t collect any information about your login details, and “only learns an anonymous hash prefix of your account details.”

Google Chrome Password Checkup extension

The extension then searches the Google database for the same anonymous prefix, and once again, the search guarantees that no information is exposed in the process.

“We use blinding and private information retrieval to search through every unsafe username and password without revealing your account details, or anyone else’s, during the process,” it says.

The final check takes place on your device, and if the extension determines that your account details were exposed, it issues a recommendation to change your password immediately.

What’s very important to know is that Google says it pays particular attention to your sensitive details, so not only that it focuses on keeping your data private, but it also guarantees attackers wouldn’t be able to abuse the extension and reveal unsafe usernames and passwords.

And of course, while your personal information isn’t collected, Google still gets some data, but the company says this only comes down to anonymous statistics that help it determine the number of lookups for an unsafe credential. Basically, this helps Google improve the extension even further and refine the detection algorithms, though for those who are afraid that the search giant is in control of too much data such an approach is definitely concerning.

Google Chrome Password Checkup extension

And last but not least, the extension won’t issue any warnings for weak passwords because Google claims it doesn’t want this extension to be intrusive by any means. “We only generate an alert when both your current username and password appear in a breach, as that poses the greatest risk,” it says.

I have already tried the extension with several of my accounts, and I haven’t received any warning that my account may have been compromised. This is good news, I guess, though I actually wanted to see how the whole thing works when a warning is issued.

Also worth knowing is that the warning doesn’t provide you steps to take action, but only recommends you to change the password, as this is the typical first step to deal with a possible breach. You can give it a try right now by downloading the extension from the Chrome web store and enable it for all the website where you log in with a username and password.

Photo Gallery (3 Images)

Google Chrome Password Checkup extension
Google Chrome Password Checkup extensionGoogle Chrome Password Checkup extension
Open gallery