Today, on Safer Internet Day, Google has released a new Chrome extension named "Password Checkup" that checks if usernames and password combinations entered in login forms have been leaked online during past data breaches and security incidents.
The extension works every time users log into an online service. The extension takes the username and password entered in the login form and checks them against a database of over four billion credentials that Google engineers have collected from public breaches in the past few years.
If the username and password combo are found in Google's internal database of unsafe credentials, the extension will show a popup alerting the user that he needs to change the credentials.
According to Google, they designed the extension with privacy in mind, so both Google and attackers can't abuse it to reveal or learn the user's passwords.
"Password Checkup was designed jointly with cryptography experts at Stanford University to ensure that Google never learns your username or password, and that any breach data stays safe from wider exposure," Google said today.
The extension works eerily similar to the Firefox Monitor service that Mozilla shipped with Firefox in November 2018.
But under the hood, the two services are very different. Firefox Monitor works by showing a one-time alert when users navigate to a website that has been breached in the previous 12 months and politely asks users to consider changing passwords.
On the other hand, Google's new Password Checkup extensions works more proactively to check actual usernames and passwords entered in login forms.
Firefox Monitor also works on top of the Have I Been Pwned service, while Password Checkup works based on an internal Google database of leaked credentials, different from Have I Been Pwned.
According to Google, the extension doesn't check individual usernames and passwords, but both items at the same time, as a combo.
This means the extension won't show alerts when users use simple passwords such as "123456," but only when both the username and password have been found together, as a combo, in previously leaked data. Google said the reason it doesn't alert users when they use simple or previously leaked passwords is because they were trying to avoid an alert/popup fatigue that may have led to users ignoring the alerts altogether.
The reason behind this extension's creation is that threat actor groups are using username and password combos from old leaks to launch credential stuffing attacks, attempting to gain access to other online accounts where users have reused their old username and password combos.
These types of attacks have been intensifying recently, with DailyMotion, Reddit, Basecamp, HSBC, Dunkin' Donuts, AdGuard, and others reporting similar incidents. Google, too, has seen such attacks, reporting to have blocked attacks on nearly 110 million users in the past with the same database of four billion leaked credentials that it's now using to power the Password Checkup tool.
"We want to help you stay safe not just on Google, but elsewhere on the web as well," Google said today. "Since this is a first version, we will continue refining it over the coming months, including improving site compatibility and username and password field detection."
For details about the cryptography that the extension uses to safeguard the usernames and passwords entered in login forms from both Google and third-party attackers, please have a look at the official Google announcement.
The Password Checkup extension can be downloaded from the official Chrome Web Store, here.