February 5th, 2019 happens to be Safer Internet Day, and Google is celebrating by releasing an awesome security tool that’s available right away for all Chrome browser users. What does it do? It looks at the username and password combinations you’re using to sign into various online services and warns you if the data is already in the possession of hackers. In other words, the Password Checkup Chrome extension will tell you when you need to change your password and every single person who uses Chrome should install it immediately.
In light of the recent Collection hacks, the news that Google’s password checking tool can compare your username/password combos against a database containing more than four billion leaked credentials is great. And before you worry that your passwords need to travel the internet to Google’s servers to perform the check, you should know that Google’s security team worked with cryptographers at Stanford University to ensure that Google never learns any of your usernames and passwords, and that any breach data stays safe from wider exposure.
Once installed, the Password Checkup tool will monitor all your logins and trigger warnings once a positive match comes up. What’s great about the tool is that it should work with your current password manager if you use one (you really, really should be using one). Also, considering that the warning comes as soon as you’ve logged into an account, you’ll be able to change the password immediately — and you should do so once the warning arrives.
Google says it won’t bother you about outdated passwords that you may have reset or dumb passwords you might be using, like 123456 as long as they do not appear in a data breach. Of note, Google will collect some anonymous data from your Password Checkup usage, including “the number of lookups that surface an unsafe credential, whether an alert leads to a password change and the web domain involved for improving site compatibility.”
As for the actual password-matching trickery that goes on behind the scenes, Google explains that the actual password matching happens locally and Google will never know the username/password you’re using. The following infographic, explains exactly what the Password Checkup tool does from the moment you input your password to the moment it warns you to change it:
