Back in February, Google introduced a Chrome extension called Password Checkup—a plug-in that tapped into Google's collection of account breach data and warned users of exposed passwords. Now, Google has directly integrated Password Checkup into its password manager, allowing users to check passwords from within their Google account settings—from any browser.
Password Checkup is now accessible from passwords.google.com, either from within a Web browser or the Google mobile application (within account settings). After verifying the user's identity with an account login prompt, Password Checkup examines any Web passwords saved within Chrome that are synchronized using a Google account—checking against breach data and looking for re-used and weak passwords. Users can go straight to the sites with bad passwords using the "Change Password" button provided next to each compromised or weak password.
-
Password Checkup, the plug-in, still works to warn if a specific site has a bad password and updates you on passwords found in recent breaches.
Wait, so Google has all my passwords?
The Password Checkup plug-in leverages a Google security Web application interface, which only sends hashes of passwords to be checked securely against a remote database made up of data culled from password dumps on underground marketplaces. Back in February, Google staff research scientist Kurt Thomas explained that the plug-in's API uses a combination of anonymization and cryptography to protect the exchange, using a technique called "blinding" to create a secret search index. Credentials are anonymized with an Argon2 hash function to create a search key for Google's database and encrypted with Elliptic Curve cryptography. "On your end, you get an index that only you know," said Thomas—an index based on partial data that can't be used to recreate the passwords themselves.Read 2 remaining paragraphs | Comments
More...