Google launched today a new service called Password Checkup that will check a user's saved passwords if they've been leaked and compromised in breaches at other services.
The service is currently available for the Google web dashboard and Android devices, but will also be added to the Chrome browser later this year.
Available for the Google Web Dashboard and Android
On the web, Password Checkup will be available at passwords.google.com. If Chrome users ever choose to use a Google account with the Chrome browser and then saved passwords in Chrome, this is the website where those passwords are synced to.
The passwords.google.com website has been around for a while but has only been known to Chrome power users. But starting today, Google wants all Chrome users to consider it the company's official "password manager."
Here is where they'll be able to see a list of all the passwords they've ever saved in Chrome, and also access the new Password Checkup feature.
To use the new feature, a new button that says "Check Passwords" will be available. Once pressed, Google will take all the user's passwords and check them against an internal database of over four billion user credentials that have been leaked online via breaches at other companies.
If a username & password combo is found in this database, Google will warn the user that they need to change the password for that account, as they're at risk of having the account hijacked by hackers.
On Android devices, the Password Checkup feature takes all the account details saved on a device and checks them against the same Google internal database. Users can access Password Checkup on their device via the official "Google" Android app.
But while the extension worked great, Google also plans to add Password Checkup inside Chrome itself later this year. Currently, the feature is already available in Chrome Canary, the Chrome version where the company tests features before they enter the Chrome Beta and Chrome Stable release cycle.
To enable Password Checkup in Chrome Canary, users must navigate to the chrome://flags section and enable the "Password Leak Detection" feature (chrome://flags/#password-leak-detection).
When this feature is enabled, a new option appears in the Chrome Settings panel, in the Passwords section.
The upcoming Chrome Password Checkup feature won't work unless users have chosen to use a Google account as a Chrome profile.
This should quench any users' fears that "Google is scanning Chrome passwords without permission," as the feature won't work unless users specifically sign into Chrome with a Google account, and sync passwords.
Google's push towards improving password security is part of the company's broader plan of bolstering the security of its entire service.
Online accounts are all interconnected through thin wires -- namely usernames and passwords. Password reuse can often lead from the compromise of an initial account to hacks at multiple services. Google accounts often sit at the center of this web of personal accounts since most people use a Gmail address to register on most of their online services.
Gmail addresses are considered the holy grail of all hacks, since if an attacker compromises one, they can use it to reset passwords at multiple other services.
Password reuse has been the easiest way through which attackers jump this web of interconnected accounts, in the hopes of hitting the jackpot -- a Google account or an account with access to financial resources.
One way to prevent this has been to use two-step verification (2SV) or two-factor authentication (2FA) solutions, of which Google has been the main proponent and a driving force over the past few years.
But since the start of the year, and through the launch of the Password Checkup Chrome extension, Google also began pushing for the use of unique passwords, and eradication of password reuse.
And password reuse is a major problem nowadays. A recent survey conducted by Google and The Harris Poll on a sample of 3,419 Americans has shown that users tend to use simplistic passwords, or tend to reuse passwords across accounts to make their lives easier.
● Nearly one out of four Americans (24%) have used the following common passwords, or some variation: "abc123," "Password," "123456," "Iloveyou," "111111," "Qwerty," "Admin" or "Welcome." ● 59% of U.S. adults have incorporated a name (their own, a family member's, a partner's, or a pet's) or a birthday (their own, a child's, or a partner's) into their password to an online account ● 22% have used their own name as part of their password. ● One-third (33%) have used their pet's name or a variation as their password, while only 15% have used their spouse or partner's name and 14% have used their children's names. ● 27% have attempted to guess someone else's password. ● Of that group, 17% have guessed correctly. ● 43% have access to someone else's active password. ● Another 43% have shared their password with someone else, including: ○ 22% who have shared their password for a TV or movie streaming service ○ 20% who have shared their email account password ○ 17% who have shared their password for their social media accounts ○ 17% who have shared their password for their online shopping accounts ● Despite 57% of password-sharers saying they share their passwords with their significant others, only 11% of Americans report changing their password after a breakup. ● 37% use two-factor authentication. ● One-third (34%) change their passwords regularly. ● Only 15% use a password manager. ● 36% keep track of passwords by writing them on a piece of paper. ● Two-thirds (66%) use the same password for more than one online account. ● 4 in 10 Americans say their personal information has been compromised online. ● 47% of those whose information has been compromised lost money due to the compromise, including 12% who lost more than $500. ● 38% report losing time because of a data breach. ● Still, less than half of Americans (45%) would change their password to an online account following a data breach.
How to protect your Google Account with the Advanced Protection Program