February 7, 2019
To combat data breaches, Google has created a Chrome extension to provide a “password checkup” that compares users’ passwords with a database of four billion unique usernames and passwords that have been compromised. The extension works in the background, only showing a warning if it finds a match. That’s all it does: it is not a password manager that determines how weak or strong passwords are. Google accounts, often the key to a user’s email address, are breached mainly because people reuse passwords on multiple sites.
Wired reports that Google “hasn’t ever bought stolen credentials, and that it doesn’t currently collaborate with other security-minded aggregators like Have I Been Pwned, a service maintained by the security researcher Troy Hunt,” but it will take donations from researchers. Google divisions including Nest are also “working on features to prevent exposed password reuse, because of problems with account takeovers.”
“We’ve reset something like 110 million passwords on Google accounts because of massive breaches and other data exposures,” said Google anti-abuse research team head Elie Bursztein. “The idea is, can we have a way to do it everywhere? It works in the background and then after 10 seconds you may get a warning that says ‘hey, this is part of a data breach, you should consider changing your password’.”
The Wired reporter tested Password Checkup with a login she knew was compromised and the system “didn’t flag it,” most likely because “Bursztein and Kurt Thomas, a Google security and anti-abuse research scientist, note that they’ve skewed toward zero false positives so they aren’t accidentally giving users warnings based on similar, but slightly different passwords or the same password that was compromised for a different person, but not you.”
The two also stress that Password Checkup is “still an experiment and isn’t necessarily finalized.”
Bursztein and Thomas expect to face another big question: Won’t Password Check end up with “a terrifying trove of all your passwords … and if so, couldn’t attackers find a way to compromise” it? The researchers, who collaborated with Stanford University “to devise layers of encryption and hashing” (including Argon 2), said that Google faced several issues. Among them, they wanted to make sure the system never learns your username and password in the process, prevents anyone from brute-forcing the system, and makes sure there is no “trackable identifier for the user that would reveal any information.”
Google and Stanford researchers plan to publish an academic paper “that details its underlying protocols and cryptographic principles for public vetting.”