In order to alert users when a password they are using has been compromised, Google is releasing a new extension for its Chrome browser. The new feature is called “Password Checkup,” and it will be largely unobtrusive. In fact, it will only alert the user when they attempt to use a password through Chrome that is part of Google’s enormous database of passwords known to have been hacked. It will not be another extension where users are alerted that their password is not secure because it does not contain enough random characters, numbers, etc.
Google has long been interested in protecting Chrome users’ passwords, in part because they are often the very same ones used to access Google services. Furthermore, so many passwords have been already compromised that many are floating around the Internet. The result is user unease about their own security. Password Checkup works on any site someone is trying to log into through Chrome.
Google’s security team has scoured the Internet for lists of compromised passwords and added them to their own database. While they do not deal directly with hackers, they do accept donations of stolen passwords from researchers. They have gathered roughly four billion unique user name and password combinations so far.
For years, Google has been detecting when a user attempts to log into a Google services such as gmail through a compromised password and then demanding a reset. Password Checkup takes the same concept and extends it to any site on the Internet, not just those managed by Google. With the release of Password Checkup, Google cautions that they are erring on the side of customer convenience and that the extension is still in the experimental phase.
Because Google is now checking and retaining so many passwords in the effort to protect its users, some fear that they are creating a security risk through developing an enormous database that could be hacked itself. Google’s security team reports that they have made multiple efforts to ensure against this. Among other things, they only collect what information they need to, they scramble and encrypt what data they do find and they use a hashing algorithm for additional security. Google is publishing an academic paper in conjunction with the release of the extension, and they are very much committed to developing and improving it as time goes by.