What is the Password Checkup Extension?

Password Checkup is an optional add-on for the Google Chrome browser that helps you identify online accounts that have been affected by data breaches. If you’re not familiar with the term, a data breach occurs when hackers break into a poorly secured website, and steal personal information stored there. Unfortunately, this happens with alarming regularity, and can impact tens of millions of users, revealing some combination of names, addresses, phone numbers, social security numbers, birth dates, driver’s license data, and of course usernames and passwords. That data is bundled up and sold on various black markets online.

Dashlane, which offers a popular password manager, published a list of the 20 Biggest Data Breaches of 2018. Among them are Marriot (500 million records including names, addresses, phone numbers, email addresses, passport numbers, and dates of birth); Exactis (340 million records including names, addresses, email addresses, phone numbers, and other personal information such as habits, hobbies, and the number, ages, and genders of the person’s children; and Twitter (330 million plain-text passwords). Going back to 2017, there was the horrific Equifax breach which affected 143 million Americans, and included names, social security numbers, birthdates, addresses and, in some instances, driver’s license numbers and credit card numbers. And those are just the highlights. If you’ve done business with Uber, Verizon, Under Armour, Panera Bread, T-Mobile, Saks, or Lord and Taylor, your personal information may be “out there”.

Wherever you sign-in, if you enter a username and password that is no longer safe due to appearing in a data breach known to Google, you’ll receive an alert. Please reset your password. If you use the same username and password for any other accounts, please reset your password there as well.

If you get an alert, you should change your password right away, even though password resets are complicated and time-consuming. When it’s time to choose a new password, let Chrome suggest a strong one; right-click while your cursor is in the password box and select “Suggest strong password” at the top of the context menu. If you choose to use the suggested password, Chrome will enter it and save it to your passwords list.

It’s not clear where Google got its four billion compromised credentials. The company says that it has reset over 110 million Google account passwords in the past two years; presumably, those compromised passwords are in the database. Google doesn’t say

where the rest come from or how quickly they are added to the database. But my guess is that they keep tabs on the major data breaches and incorporate that information into their service.

Password Checkup addresses the problem of password re-use. If you follow the best practice of using a unique password on every site, you only have to reset one site’s password if your password is compromised. But if you have re-used a password on multiple sites, you probably don’t recall which ones need to be reset. Password Checkup will alert you each time you try to use compromised credentials. So it is of great use in plugging the very common password re-use vulnerability.

Google is not the first to market with a password checker. For nearly a year, the 1Password password manager has integrated with Troy Hunt’s Pwned Passwords database, which currently contains about half a billion compromised credentials.

Unlike Google, 1Password downloads all of the compromised credentials to each user’s machine. While this avoids uploading a user’s credentials to 1Password’s server, it puts an ever-growing burden on the user’s computing resources. Google, instead, works in the cloud with encrypted copies of user data, so Google never knows what the user’s credentials are. Google’s password manager is free, while 1Password costs about $3 per month for a single user.

Google addresses the privacy issue of Password Checker thusly: “Password Checkup was built with privacy in mind. It never reports any identifying information about your accounts, passwords, or device. We do report anonymous information about the number of lookups that surface an unsafe credential, whether an alert leads to a password change, and the domain involved for improving site coverage.” You can learn more about how Password Checkup works.

This is the first public release of Password Checkup; even Google admits there’s room for improvement in the future. Making it work with more log-in screen formats is a high priority. I would like the extension to check all of my saved passwords in one batch and show me which ones need to be changed. Some automation of tedious password-reset routines would also be very welcome.

But what would really make my day is the elimination of passwords altogether. I long for the day when bio metric or hardware key security becomes the universal norm. Then we will have much less to remember, maintain, and worry about. A lot of progress has been made on the mobile device side, with fingerprint, voice and face identification options.

Have you checked to see if your email addresses and/or passwords have been compromised?

Thanks to Bob for this post as always

From all of us on the ZI Staff have a great week.