Data breaches and account hacking has become more prevalent than ever before, which makes staying safe online of paramount importance.
Google has released a new password checkup tool to help you stay safe online – not just Google sites or services. The new Password Checkup Chrome extension will trigger a warning whenever yo log into a site if the username and password you use is one of over 4 billion credentials that Google knows to be unsafe.
Google says that Password Checkup was designed jointly with cryptography experts at Stanford University to ensure that they (Google) never learn your username or password and that any breach data stays safe from wider exposure. Password Checkup is still an early experiment which is why Google is sharing the technical details behind their privacy-preserving protocol to be transparent about how they keep your data secure.
Key design principles
- Alerts are actionable, not informational: Google says that they believe that an alert should provide concise and accurate security advice. For an unsafe account, that means resetting your password. While it’s possible for data breaches to expose other personal data such as a phone number or mailing address, there’s no straightforward next step to re-securing that data. That’s why they focus only on warning you about unsafe usernames and passwords.
- Privacy is at the heart of our design: Your usernames and passwords are incredibly sensitive. Password Checkup was designed with privacy-preserving technologies to never reveal this personal information to Google. They also designed Password Checkup to prevent an attacker from abusing Password Checkup to reveal unsafe usernames and passwords. Finally, all statistics reported by the extension are anonymous. These metrics include the number of lookups that surface an unsafe credential, whether an alert leads to a password change, and the web domain involved for improving site compatibility.
- Advice that avoids fatigue: Password Checkup will only alert you when all of the information necessary to access your account has fallen into the hands of an attacker and it won’t bother you about outdated passwords you’ve already reset or merely weak passwords like “123456”. An alert is only generated when both your current username and password appear in a breach, as that poses the greatest risk.