Google has a password manager that syncs across Chrome and Android, and now the company is adding a “password checkup” feature that will analyze your logins to ensure they haven’t been part of a massive security breach — and there have been oh so many of those. Password checkup was already available as an extension, but now Google is building it right into Google account controls. And it’ll be prominently featured at passwords.google.com, which is the URL shortcut to Google’s password manager.
Your login credentials are compared against the millions upon millions of known compromised accounts that’ve been part of major breaches. Google says that it also monitors the dark web to some extent for collections of passwords — but most of the database that password checkup compares against comes from crawling the open web.
Google is by no means the only one doing this: haveibeenpwned.com has proven to be a super helpful resource in this era of constant security breaches at major companies that affect tens of millions of customers.
If your password has been included in a breach, Google will encourage you to change the affected password. Same goes for if Google sees that you’re reusing passwords, which is a terrible practice; everything should have a unique login. And of course, Google will also notify you of accounts using weak passwords that are on the easy-to-guess end of the spectrum. In the case of the extension, passwords were hashed and encrypted before being sent to Google:
Since Password Checkup relies on sending your confidential information to Google, the company is keen to emphasize that this is encrypted, and that it has no way of seeing your data. Passwords in the database are stored in a hashed and encrypted form, and any warning that’s generated about your details is entirely local to your machine.
One point I raised with Mark Risher, Google’s director of account security, is that consumers are increasingly being asked to store their passwords in several places at once. Apple has iCloud Keychain. Google has this. And then you’ve got 1Password, LastPass, and other dedicated third-party password managers. What’s someone to do? Pick a horse and stick with it? Or try to keep multiple password managers in sync? The potential for mismatches or having an old, incorrect password in one of these places is pretty high. Google doesn’t really have a great answer for this issue, but says that it supports importing passwords and will be working to make that process smoother over the coming months.
To coincide with Cybersecurity Awareness Month, Google partnered with The Harris Poll to check up on the password habits of people in the US, and the results are pretty worrying. Too many are still including items that a stranger could easily find out — like a birthday, pet’s name, etc. — in their passwords. And not enough people are talking advantage of extra security measures like two-factor authentication (only 37 percent of respondents are using it) and password managers (15 percent).
66 percent of those polled said they use the same password for more than one online account. And when it comes to sharing with a significant other, only 11 percent said they changed their Netflix (or other streaming service) password after a breakup.
Password reuse is the main thing Google is trying to discourage, because using the same password for multiple services could put you in a dire situation should one of them be compromised. If you’re not a fan of digital password managers, just write ‘em down somewhere at home. Even that’s a good option if you can keep prying eyes away since you won’t repeat the same password.