Chrome Can Tell You if Your Passwords Have Been Compromised

An anonymous reader shares a report: Given the frequency of hacks and data leaks these days, chances are good at least one of your passwords has been released to the wild. A new Chrome extension released by Google today makes it a little easier to stay on top of that: Once installed, Password Checkup will simply sit in your Chrome browser and alert you if you enter a username / password combination that Google "knows to be unsafe." The company says it has a database of 4 billion credentials that have been compromised in various data breaches that it can check against. When the extension detects an insecure password, it'll prompt you with a big red dialog box to immediately update your info. It's handy, but users might wonder exactly what Google can see -- to that end, Google says that the extension "never reveal[s] this personal information."

What *can* Google see?

[Immerman]

Google *can* see everything you do with Chrome - every click, every keystroke, every image you linger on a bit longer than is seemly. That capability is well within their ability, aka they *can* do it. The real question is how much of that they *choose* to collect and send back home, rather than simply having the ability to do so.

This seems like it should be benign enough though - not much advantage to be gained collecting this information (and a lot of potential liability and bad PR), and it's simple enough to hash a name/password combination and send it back to the server in order to retrieve any/all pairs with a matching hash for comparison on your computer.

Re:So, how does it work?

[Dynedain]

You could read the article or the original blog post:
https://security.googleblog.co...

Basically they hash your passwords locally, and compare the first few characters of the hash against the hashes in the database. If there are possible matches the full hashes are downloaded to your browser for further comparison.

Your full plaintext password and full hashed password are never set to Google.

There's a nice diagram on the blog post that explains everything at a fairly deep level.

Re:Old Solution

[sabri]

Why link to Engadget when you can link to the actual article itself? https://security.googleblog.co...

Must be kickbacks to msmash.

Re:So, how does it work?

[sexconker]

They're probably stealing HIBP's work. https://haveibeenpwned.com/Pas...
Though they're also probably stealing your passwords. It is Google, after all.

HIBP maintains a DB of credentials they find exposed in dumps.
HIBP hashes them with SHA1.
HIBP provides an API.
You hash your password with SHA1.
You send the first 5 characters of that hash to HIBP's API.
HIBP looks up all of its SHA1 password hashes and finds all the ones starting with those 5 characters.
HIBP returns those matching hashes (excluding the first 5 characters, which you already know) and a count of how many times each was found in a dump.
You search through that list of SHA1 hashes and find the one that's a complete match.
You then know your password (or something that produces a SHA1 collision with it) has been exposed X times, or not at all.

Go to https://haveibeenpwned.com/Pas... and open your network console.
Put "sexy" in the field.
The SHA1 hash of "sexy" is BF5AFC18DFBCA6FF28E36AC47BDA8AB40D47C990.
Your browser sends a GET request for https://api.pwnedpasswords.com....
The response includes C18DFBCA6FF28E36AC47BDA8AB40D47C990:104937.

Passwords with a SHA1 hash of BF5AFC18DFBCA6FF28E36AC47BDA8AB40D47C990 (such as "sexy") have been found in credential dumps 104937 times.

If you don't trust HIBP with even a partial hash of your PW, you can download the 30+ GB text file and do it your damned self. Or use a program locally. Several password managers offer functionality (natively or via plugins) for this.