Skip to main content

Google’s new Chrome extension squeals on compromised passwords

Today is Safer Internet Day, so it's fitting that Google chose this morning to release its Password Checkup extension for Chrome.

Just as it sounds, the Password Checkup extension audits your username and password when logging into a website. If the combination is known to be compromised, you'll see a big red warning, as shown in the image above.

"We want to help you stay safe not just on Google, but elsewhere on the web as well. This is where the new Password Checkup Chrome extension can help. Whenever you sign in to a site, Password Checkup will trigger a warning if the username and password you use is one of over 4 billion credentials that Google knows to be unsafe," Google explains.

Google jointed developed the extension with cryptography experts at Stanford University. While your information is sent to Google, the company claims it has no way of actually seeing your login information. That's because the extension uses "multiple rounds of hashing, k-anonymity, private information retrieval, and a technique called blinding. This infographic breaks it down into more detail.

Password Checkup is a first-party extension, which begs the question as to why Google doesn't just bake into Chrome natively, and make it opt-in. That might the direction it takes. For now, though, Google views it as an "early experiment."

The extension arrives on the heels of largest compromised data dumps to date, known as Collection #1 and Collection #2-5. These collections are essentially roundups of previously stolen credentials. The first one contains over 770 million email addresses and 21 million passwords, while the second batch exposes 2.2 billion unique usernames and passwords.

I've only been using the Password Checkup a short while, but so far I haven't noticed any side effects. If you want to give it a whirl yourself, follow this link. You should also consider a password manager.