Google’s New Chrome Extension Seeks to Secure Accounts
Google has come up with a new Chrome extension that seeks to secure users’ accounts.
The new Google Chrome extension, called Password Checkup, warns users if their login credentials have been compromised and thus helps protect accounts from data breaches.
Google, in a blog post dated February 5, 2019, has announced the launch of this new feature. The blog post says, “We want to help you stay safe not just on Google, but elsewhere on the web as well. This is where the new Password Checkup Chrome extension can help. Whenever you sign in to a site, Password Checkup will trigger a warning if the username and password you use is one of over 4 billion credentials that Google knows to be unsafe.”
Google explains that it has designed the Password Checkup extension keeping in mind that Google never gets to know anyone’s username or password. The Google blog post explains, “Password Checkup was designed jointly with cryptography experts at Stanford University to ensure that Google never learns your username or password, and that any breach data stays safe from wider exposure.”
The three key design principles
While designing Password Checkup, Google had three key design principles in mind:
- Google believes that alerts are actionable and not informational. Thus, based on the belief that an alert should provide concise, accurate security advice, the Password Checkup extension not only alerts users about compromised login credentials, but also prompts them to change passwords if they are compromised. This, Google believes, is the best way to re-secure data.
- Google has used privacy-preserving technologies in designing Password Checkup, seeking to ensure that users’ personal information would never be revealed to Google. Similarly, the extension also prevents an attacker from abusing it to reveal unsafe login credentials. All statistics that get reported by Password Checkup remain anonymous.
- Google seeks to avoid ‘alert fatigue’ and hence has designed Password Checkup in such a way that the alert comes only when all information needed to access a user’s account has been obtained by a hacker. Alerts come up only when a user’s current username and password appear in a breach because this poses the greatest risk to security.
To secure an account, the user would need to install the Password Checkup extension on Chrome The icon of the extension would then appear on the browser bar and then, whenever the user signs in with unsafe credentials, an alert is sent. The user can then change the password to prevent account hacking.
The Google blog post explains how the Password Checkup extension seeks to provide utmost security. The blog post says, “At a high level, Password Checkup needs to query Google about the breach status of a username and password without revealing the information queried. At the same time, we need to ensure that no information about other unsafe usernames or passwords leaks in the process, and that brute force guessing is not an option. Password Checkup addresses all of these requirements by using multiple rounds of hashing, k-anonymity, private information retrieval, and a technique called blinding.”
Google says that it’s now the first version of Password Checkup that’s available as an extension for Chrome. Over the coming months, Google would continue refining it, including improving site compatibility and username and password field detection.
Julia Sowells918 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.