Back in February, Google introduced a Chrome extension called Password Checkup—a plug-in that tapped into Google’s collection of account breach data and warned users of exposed passwords. Now, Google has directly integrated Password Checkup into its password manager, allowing users to check passwords from within their Google account settings—from any browser.
Password Checkup is now accessible from passwords.google.com, either from within a Web browser or the Google mobile application (within account settings). After verifying the user’s identity with an account login prompt, Password Checkup examines any Web passwords saved within Chrome that are synchronized using a Google account—checking against breach data and looking for re-used and weak passwords. Users can go straight to the sites with bad passwords using the “Change Password” button provided next to each compromised or weak password.
Wait, so Google has all my passwords?
The Password Checkup plug-in leverages a Google security Web application interface, which only sends hashes of passwords to be checked securely against a remote database made up of data culled from password dumps on underground marketplaces. Back in February, Google staff research scientist Kurt Thomas explained that the plug-in’s API uses a combination of anonymization and cryptography to protect the exchange, using a technique called “blinding” to create a secret search index. Credentials are anonymized with an Argon2 hash function to create a search key for Google’s database and encrypted with Elliptic Curve cryptography. “On your end, you get an index that only you know,” said Thomas—an index based on partial data that can’t be used to recreate the passwords themselves.
With the new Password Checkup within Google’s online password manager, the process is similar—your passwords get unlocked with your Google account credentials, and the same cryptographic exchange is done with the breached password backend. At the same time, the password manager can evaluate which passwords and logins are re-used or weak and provide additional recommendations on password changes. Google still doesn’t have direct access to your passwords.
Of course, this only works if you’re using a Google account to back up your Chrome settings and if you’re using Chrome’s password manager—and you haven’t put a separate password in place to secure your passwords. But if you are, you can perform Password Checkup from any browser you’ve used to sign in to your Google account—as well as retrieve passwords stored with the password manager. This is, of course, another reason to enable two-factor authentication for your Google account.