On Android, the Password Checkup feature is now part of the "Autofill with Google" mechanism, which the OS uses to select text from a cache and fill in forms.
The idea is that the Password Checkup feature will take passwords stored in the Android OS password manager and check them against a database containing billions of records from public data breaches and see if the password has been previously leaked online.
If it has, a warning is shown to the user.
Google says that users have nothing to fear when it comes to this password-checking mechanism, which does not share their credentials in cleartext over the network, and works as follows:
Only an encrypted hash of the credential leaves the device (the first two bytes of the hash are sent unencrypted to partition the database)
The server returns a list of encrypted hashes of known breached credentials that share the same prefix
The actual determination of whether the credential has been breached happens locally on the user's device
The server (Google) does not have access to the unencrypted hash of the user's password and the client (User) does not have access to the list of unencrypted hashes of potentially breached credentials.
The Password Checkup feature is rolling out today for all Android 9+ users. To enable Password Checkup, users should make sure Autofill with Google is activated on their devices by following the steps below:
Open your phone's Settings app
Tap System > Languages & input > Advanced
Tap Autofill service
Tap Google to make sure the setting is enabled
A similar password-checkup feature is already present in iOS 14 since last summer. Most web browsers also have similar password-breach-checking features for years, such as the ones found in Firefox, Chrome, Safari, and Microsoft Edge.