Chrome Can Tell You if Your Passwords Have Been Compromised (engadget.com)

← Back to Stories (view on slashdot.org)

Chrome Can Tell You if Your Passwords Have Been Compromised (engadget.com)

Posted by msmash on Tuesday February 5, 2019 @04:10AM from the how-about-that dept.

An anonymous reader shares a report: Given the frequency of hacks and data leaks these days, chances are good at least one of your passwords has been released to the wild. A new Chrome extension released by Google today makes it a little easier to stay on top of that: Once installed, Password Checkup will simply sit in your Chrome browser and alert you if you enter a username / password combination that Google "knows to be unsafe." The company says it has a database of 4 billion credentials that have been compromised in various data breaches that it can check against. When the extension detects an insecure password, it'll prompt you with a big red dialog box to immediately update your info. It's handy, but users might wonder exactly what Google can see -- to that end, Google says that the extension "never reveal[s] this personal information."

20 of 90 comments (clear)

Min score:

Reason:

Sort:

Old Solution by Anonymous Coward · 2019-02-05 06:09 · Score: 3, Interesting

The correct way to go about it would be to advise users if their password is on known data breaches whether it is associated with the username or not. Otherwise this extension could be used to mine credentials out of whatever database google is using.
1. Re:Old Solution by Oswald+McWeany · 2019-02-05 06:48 · Score: 2
  
  The correct way to go about it would be to advise users if their password is on known data breaches whether it is associated with the username or not. Otherwise this extension could be used to mine credentials out of whatever database google is using.
  Indeed; I don't want to give Chrome my username or credentials. Granted, it could scrape my username when I log in places, but I'm assuming that is too low, even for Google.
  
  --
  "That's the way to do it" - Punch
2. Re:Old Solution by sabri · 2019-02-05 07:11 · Score: 3, Informative
  
  Why link to Engadget when you can link to the actual article itself? https://security.googleblog.co...
  
  Must be kickbacks to msmash.
  
  --
  I'm not a complete idiot... Some parts are missing.
3. Re:Old Solution by Immerman · 2019-02-05 07:46 · Score: 2
  
  > I don't want to give Chrome my username or credentials.
  Then don't use Chrome. Google is a surveillance-and-marketting company, and you have absolutely no idea what their browser might be doing behind the scenes.
  As it is though, there's no particular reason to believe Chrome is sending your username and password anywhere but to the website you intended - that would be a liability nightmare, and I'm not seeing any profit to be made. The proper way to do this would be to generate an irreversible hash of your username and password pair, and send that to be looked up in their database. Then they send back any pairs found with a matching hash for comparison on your computer.
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
So, how does it work? by Anonymous Coward · 2019-02-05 06:10 · Score: 4, Insightful

How does it work? Does it keep a local database of 4 billion compromised credentials and checks against them? Or, let me guess, it uploads all of my passwords to a Google-controlled server to check if they are secure? Hmm, I wonder what could go wrong with this plan.
1. Re:So, how does it work? by darkain · 2019-02-05 06:31 · Score: 2
  
  they are called hashes, and have been used forever. google doesn't need to store user passwords in their database or transmit them over the wire at all. google simply stores a hash of the username+password combination. when you enter credentials, that same hash is generated locally, then the resulting hash is transmitted over the wire and checked against the database. this is trivial to implement these days.
2. Re:So, how does it work? by Dynedain · 2019-02-05 06:44 · Score: 5, Informative
  
  You could read the article or the original blog post:
  https://security.googleblog.co...
  Basically they hash your passwords locally, and compare the first few characters of the hash against the hashes in the database. If there are possible matches the full hashes are downloaded to your browser for further comparison.
  Your full plaintext password and full hashed password are never set to Google.
  There's a nice diagram on the blog post that explains everything at a fairly deep level.
  
  --
  I'm out of my mind right now, but feel free to leave a message.....
3. Re:So, how does it work? by Oswald+McWeany · 2019-02-05 06:49 · Score: 2
  
  they are called hashes, and have been used forever. google doesn't need to store user passwords in their database or transmit them over the wire at all. google simply stores a hash of the username+password combination. when you enter credentials, that same hash is generated locally, then the resulting hash is transmitted over the wire and checked against the database. this is trivial to implement these days.
  True, but "doesn't need to" does not equal "won't".
  
  --
  "That's the way to do it" - Punch
4. Re:So, how does it work? by darkain · 2019-02-05 07:13 · Score: 2
  
  Did you enable profile syncing between devices? Chrome already supports password sync features, which can 1) be disabled, and 2) be entirely unavailable if not logged into the syncing services at all.
5. Re:So, how does it work? by sexconker · 2019-02-05 07:51 · Score: 5, Informative
  
  They're probably stealing HIBP's work. https://haveibeenpwned.com/Pas...
  Though they're also probably stealing your passwords. It is Google, after all.
  HIBP maintains a DB of credentials they find exposed in dumps.
  HIBP hashes them with SHA1.
  HIBP provides an API.
  You hash your password with SHA1.
  You send the first 5 characters of that hash to HIBP's API.
  HIBP looks up all of its SHA1 password hashes and finds all the ones starting with those 5 characters.
  HIBP returns those matching hashes (excluding the first 5 characters, which you already know) and a count of how many times each was found in a dump.
  You search through that list of SHA1 hashes and find the one that's a complete match.
  You then know your password (or something that produces a SHA1 collision with it) has been exposed X times, or not at all.
  Go to https://haveibeenpwned.com/Pas... and open your network console.
  Put "sexy" in the field.
  The SHA1 hash of "sexy" is BF5AFC18DFBCA6FF28E36AC47BDA8AB40D47C990.
  Your browser sends a GET request for https://api.pwnedpasswords.com....
  The response includes C18DFBCA6FF28E36AC47BDA8AB40D47C990:104937.
  Passwords with a SHA1 hash of BF5AFC18DFBCA6FF28E36AC47BDA8AB40D47C990 (such as "sexy") have been found in credential dumps 104937 times.
  If you don't trust HIBP with even a partial hash of your PW, you can download the 30+ GB text file and do it your damned self. Or use a program locally. Several password managers offer functionality (natively or via plugins) for this.
6. Re:So, how does it work? by thegarbz · 2019-02-05 08:42 · Score: 3, Insightful
  
  Let's try this experiment. But for real.
  I use Chrome on a work computer. I log in to some web sites and Chrome conveniently remembers my passwords for those sites.
  Last April I get a shiny new Google Pixelbook. (think: glorified web browser with 8 GB, core i5 and 128 GB SSD -- unless you put it in developer mode effectively rooting it so it can do useful things)
  Using the Pixelbook (which is Chrome OS, of course, and thus Chrome), I am able to go to my favorite web sites, and -- like magic! -- Chrome conveniently knows my login credentials to those sites.
  Hmmm didn't work for me. But then I didn't enable the completely optional feature of password synchronisation which is literally the second setting in Chrome underneath where you select your Google account.
interesting... by CrimsonAvenger · 2019-02-05 06:13 · Score: 2, Interesting

So, if I try name/password combinations till I get a hit, Google will tell me I've gotten a hit (on someone's account, somewhere).
If it tells me where the UID/Pwd combo exist, I can then change someone's password for them? That could be useful....

--

"I do not agree with what you say, but I will defend to the death your right to say it"
1. Re:interesting... by Anonymous Coward · 2019-02-05 07:31 · Score: 2, Insightful
  
  Somebody could put in the effort to do that, or they could go the much easier route of using the original password dumps found on various nefarious websites.
2. Re:interesting... by Immerman · 2019-02-05 08:13 · Score: 2
  
  Why go through all that effort? Just go download the same database(s) Google did and get all the compromised credentials in plain text - it's publicly available on various hacker sites after all.
  That's the whole point - Google is warning you that your credentials are already public knowledge among criminals and intelligence agencies.
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
What *can* Google see? by Immerman · 2019-02-05 06:13 · Score: 3, Informative

Google *can* see everything you do with Chrome - every click, every keystroke, every image you linger on a bit longer than is seemly. That capability is well within their ability, aka they *can* do it. The real question is how much of that they *choose* to collect and send back home, rather than simply having the ability to do so.
This seems like it should be benign enough though - not much advantage to be gained collecting this information (and a lot of potential liability and bad PR), and it's simple enough to hash a name/password combination and send it back to the server in order to retrieve any/all pairs with a matching hash for comparison on your computer.

--
--- Most topics have many sides worth arguing, allow me to take one opposite you.
Info. by grep+-v+'.*'+* · 2019-02-05 06:14 · Score: 2

Google Security Blog Info.

Chrome Extension

--
If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
Give me all your passwords by rtkluttz · 2019-02-05 06:16 · Score: 2, Insightful

I'll monitor my own shit thank you. I trust YOU (Google) even less than the bad guys.

--
Digital is, by definition, imperfect. Analog is the way to go.
Could just be a hash... by SuperKendall · 2019-02-05 06:31 · Score: 2

It could just upload a hash of your password... but even so I would not want my username going up with even just a hash to anywhere but where I am logging in.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:Could just be a hash... by Immerman · 2019-02-05 08:01 · Score: 2
  
  More likely it uploads a hash of your combined username+password. After all, there's nothing to be gained by sending the username in plain text.
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
Re:So a hash of your password goes to the cloud? by Immerman · 2019-02-05 08:16 · Score: 2

Only if your compromised credentials are in the database, in which case they already have them and nothing is gained by monitoring your query.
Besides which, the database is itself already publicly available on cracker sites, that's the point. Google is simply checking to see if your credentials are already public knowledge.

--
--- Most topics have many sides worth arguing, allow me to take one opposite you.