A new Chrome Extension from Google called Password Checkup will automatically check whether your passwords have been exposed in a data breach. Once installed, the extension checks any login details you use — Google says “most” US sites are supported — against a database of around four billion usernames and passwords, and warns you if it finds a match.
Password breaches are an unfortunately common occurrence, but so long as you’re using a unique password for each website it’s normally fairly simple to deal with. Just change the login credentials used with the breached website, and move on. Unfortunately, when massive breaches like Collection #1 compromise so many different passwords it can be impossible to know which of yours are still safe. That’s where Google’s new extension comes in.
Since Password Checkup relies on sending your confidential information to Google, the company is keen to emphasize that this is encrypted, and that it has no way of seeing your data. Passwords in the database are stored in a hashed and encrypted form, and any warning that’s generated about your details is entirely local to your machine.
Google isn’t the only company to offer such a service. 1Password’s robust password manager includes Watchtower integration to compare your passwords against Have I Been Pwned’s database of breached credentials. Google’s extension is free and you can use Chrome’s built-in password generator to generate a new password if you find one of yours has been compromised.
While it sounds like a useful extension, ultimately Password Checkup further underlines how terrible passwords are as a means of keeping your accounts secure. Standards like WebAuthn, which replaces your password with a hardware token that only you have access to, are promising, but so few sites currently support the standard that it’s not really viable for widespread use. Two-factor authentication is another useful layer of security but, it too has limitations.
So for the time being we’re going to repeat the same advice we give every time we talk about passwords. You should use a password manager, you should use a unique password for every site, you should change any affected passwords the moment you hear about a breach, and you should turn on two-factor authentication for all sites that support it. The difference, now, is that you should also consider installing Chrome Password Checkup extension.
Comments
What is the URL for this extension?
By Iamnew on 02.05.19 9:07am
It’s the first link in the article: https://chrome.google.com/webstore/detail/password-checkup/pncabnpcffmalkkjpajodfhijclecjno
By goalcam on 02.05.19 9:20am
It wasn’t in the article. But thanks
By Iamnew on 02.05.19 9:45am
It’s the first result when you Google for Password Checkup.
By mondeca on 02.05.19 9:51am
A little bit more complicated than, say, lastpass’s basic duplication check. But same results…
By omo on 02.05.19 9:55am
Not the same results at all. The duplication check only shows you in your vault where you have duplicate passwords. It doesn’t check that against a list of known compromised username/password combinations.
By raynman37 on 02.05.19 1:59pm
They do check for compromised passwords as part of the Security Challenge:
https://blog.lastpass.com/2018/11/protect-your-accounts-with-breach-alerts-through-lastpass.html/
By op12 on 02.05.19 2:11pm
Yeah, that’s the same thing I’m talking about. The person I was replying to only talked about the duplication check though. I didn’t realize Lastpass had all the other bells and whistles too.
By raynman37 on 02.05.19 2:37pm
Actually, the company that LastPass partnered with for the compromised password checks is completely incompetent. I added 100 bogus accounts with 100 compromised passwords to my vault and after going through the security challenge the results said that none of my passwords were compromised. I sent an email to LastPass with my results and they just said they would work on it but they still haven’t. That was 4 months ago.
By Darkbotic on 02.05.19 2:44pm
My point was, if you deduplicated your passwords, it really doesn’t matter if the passwords were compromised in a known hack or not. As long as you have reset your password for the site it was compromised on, then you are fine.
By omo on 02.05.19 5:36pm
I doubt it is the "free-est", as LastPass has been offering this to all its users.
By rwalle on 02.05.19 9:56am
Seconding LastPass Security Checkup, shows you compromised accounts, compromised passwords, old passwords, weak passwords, and duplicate passwords. Spent all of a week last month cleaning up my entire store of old passwords. Now everything is randomly generated and unique!
By npeep- on 02.05.19 12:33pm
Actually, the company that LastPass partnered with for the compromised password checks is completely incompetent. I added 100 bogus accounts with 100 compromised passwords to my vault and after going through the security challenge the results said that none of my passwords were compromised. I sent an email to LastPass with my results and they just said that they were going to work on it but they still haven’t. That was 4 months ago.
By Darkbotic on 02.05.19 2:47pm
Thankfully it’s not a big deal.
By omo on 02.05.19 5:38pm
wait, you’re suggesting that lastpass does it better but when someone points out it doesn’t actually work "it’s not a big deal"?
By echomrg on 02.06.19 6:30am
Not letting me install on Opera (as many chrome addons do)
By theeht10 on 02.05.19 10:19am
Passwords seem so archaic at this point. Can’t we just have some sort of biometric system run off your phone? Link a login email address with your phone and when you ask to login your phone pops up requesting your fingerprint or Face ID. Seems like the best use of current tech.
By DavidDesu13 on 02.05.19 11:36am
The thing is, "you" is really that electrochemical event happening in your brain, and the only way (currently) to authenticate that is to ask it for a piece of information that only it knows. Fingerprints, iris scans, hardware tokens – all those things can be falsified or stolen. A password is a reasonably bad solution to a problem where there are no good solutions, and likely never will be. Even password managers with their autogenerated random passwords are still proxies for that master password that (hopefully) lives only in your mind and thus authenticates your mind.
By goosedaddy on 02.05.19 12:52pm
But what happens when you die and you need to get $190 million in cryptocurrency off your phone?
By obtainable on 02.05.19 5:15pm
unfortunately your fingerprint can be easily lifted from basically everything you touch and finger print readers can be easily fooled. depending on how well the face id reader works it might be a little more difficult to fool but, again, your face is quite easily accessible.
also, once your fingerprints or face are compromised it’s quite difficult to change them.
biometric systems alone are not an alternative to passwords.
By echomrg on 02.06.19 6:35am
A very nice extension and service Google did here, now Google allow the extension to install on other Blink based browsers instead of blocking it on those and you could take a bow.
By SasparillaFizz on 02.05.19 12:26pm
You’ve accidentally a word in the title.
By metis on 02.05.19 12:35pm
"In a sudden twist of irony, the extension stole all users’ passwords."
- the future -
By craPkit on 02.05.19 1:26pm
Using something like this takes you from multiple independent modes of failure, to a single one.
By obtainable on 02.05.19 5:17pm
The URL for the extension (which IS PNGized) needs to be in the text so it is "clickable". Otherwise everyone needs to memorize and type it in.
By emanuensus on 02.05.19 2:15pm