Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome Can Tell You if Your Passwords Have Been Compromised (engadget.com)

Posted by msmash on from the how-about-that dept.

An anonymous reader shares a report: Given the frequency of hacks and data leaks these days, chances are good at least one of your passwords has been released to the wild. A new Chrome extension released by Google today makes it a little easier to stay on top of that: Once installed, Password Checkup will simply sit in your Chrome browser and alert you if you enter a username / password combination that Google "knows to be unsafe." The company says it has a database of 4 billion credentials that have been compromised in various data breaches that it can check against. When the extension detects an insecure password, it'll prompt you with a big red dialog box to immediately update your info. It's handy, but users might wonder exactly what Google can see -- to that end, Google says that the extension "never reveal[s] this personal information."

7 of 90 comments (clear)

  1. Old Solution by Anonymous Coward · · Score: 3, Interesting

    The correct way to go about it would be to advise users if their password is on known data breaches whether it is associated with the username or not. Otherwise this extension could be used to mine credentials out of whatever database google is using.

    1. Re:Old Solution by sabri · · Score: 3, Informative

      Why link to Engadget when you can link to the actual article itself? https://security.googleblog.co...

      Must be kickbacks to msmash.

      --
      I'm not a complete idiot... Some parts are missing.
  2. So, how does it work? by Anonymous Coward · · Score: 4, Insightful

    How does it work? Does it keep a local database of 4 billion compromised credentials and checks against them? Or, let me guess, it uploads all of my passwords to a Google-controlled server to check if they are secure? Hmm, I wonder what could go wrong with this plan.

    1. Re:So, how does it work? by Dynedain · · Score: 5, Informative

      You could read the article or the original blog post:
      https://security.googleblog.co...

      Basically they hash your passwords locally, and compare the first few characters of the hash against the hashes in the database. If there are possible matches the full hashes are downloaded to your browser for further comparison.

      Your full plaintext password and full hashed password are never set to Google.

      There's a nice diagram on the blog post that explains everything at a fairly deep level.

      --
      I'm out of my mind right now, but feel free to leave a message.....
    2. Re:So, how does it work? by sexconker · · Score: 5, Informative

      They're probably stealing HIBP's work. https://haveibeenpwned.com/Pas...
      Though they're also probably stealing your passwords. It is Google, after all.

      HIBP maintains a DB of credentials they find exposed in dumps.
      HIBP hashes them with SHA1.
      HIBP provides an API.
      You hash your password with SHA1.
      You send the first 5 characters of that hash to HIBP's API.
      HIBP looks up all of its SHA1 password hashes and finds all the ones starting with those 5 characters.
      HIBP returns those matching hashes (excluding the first 5 characters, which you already know) and a count of how many times each was found in a dump.
      You search through that list of SHA1 hashes and find the one that's a complete match.
      You then know your password (or something that produces a SHA1 collision with it) has been exposed X times, or not at all.

      Go to https://haveibeenpwned.com/Pas... and open your network console.
      Put "sexy" in the field.
      The SHA1 hash of "sexy" is BF5AFC18DFBCA6FF28E36AC47BDA8AB40D47C990.
      Your browser sends a GET request for https://api.pwnedpasswords.com....
      The response includes C18DFBCA6FF28E36AC47BDA8AB40D47C990:104937.

      Passwords with a SHA1 hash of BF5AFC18DFBCA6FF28E36AC47BDA8AB40D47C990 (such as "sexy") have been found in credential dumps 104937 times.

      If you don't trust HIBP with even a partial hash of your PW, you can download the 30+ GB text file and do it your damned self. Or use a program locally. Several password managers offer functionality (natively or via plugins) for this.

    3. Re:So, how does it work? by thegarbz · · Score: 3, Insightful

      Let's try this experiment. But for real.

      I use Chrome on a work computer. I log in to some web sites and Chrome conveniently remembers my passwords for those sites.

      Last April I get a shiny new Google Pixelbook. (think: glorified web browser with 8 GB, core i5 and 128 GB SSD -- unless you put it in developer mode effectively rooting it so it can do useful things)

      Using the Pixelbook (which is Chrome OS, of course, and thus Chrome), I am able to go to my favorite web sites, and -- like magic! -- Chrome conveniently knows my login credentials to those sites.

      Hmmm didn't work for me. But then I didn't enable the completely optional feature of password synchronisation which is literally the second setting in Chrome underneath where you select your Google account.

  3. What *can* Google see? by Immerman · · Score: 3, Informative

    Google *can* see everything you do with Chrome - every click, every keystroke, every image you linger on a bit longer than is seemly. That capability is well within their ability, aka they *can* do it. The real question is how much of that they *choose* to collect and send back home, rather than simply having the ability to do so.

    This seems like it should be benign enough though - not much advantage to be gained collecting this information (and a lot of potential liability and bad PR), and it's simple enough to hash a name/password combination and send it back to the server in order to retrieve any/all pairs with a matching hash for comparison on your computer.

    --
    --- Most topics have many sides worth arguing, allow me to take one opposite you.