Chrome Can Tell You if Your Passwords Have Been Compromised

An anonymous reader shares a report: Given the frequency of hacks and data leaks these days, chances are good at least one of your passwords has been released to the wild. A new Chrome extension released by Google today makes it a little easier to stay on top of that: Once installed, Password Checkup will simply sit in your Chrome browser and alert you if you enter a username / password combination that Google "knows to be unsafe." The company says it has a database of 4 billion credentials that have been compromised in various data breaches that it can check against. When the extension detects an insecure password, it'll prompt you with a big red dialog box to immediately update your info. It's handy, but users might wonder exactly what Google can see -- to that end, Google says that the extension "never reveal[s] this personal information."

So, how does it work?

How does it work? Does it keep a local database of 4 billion compromised credentials and checks against them? Or, let me guess, it uploads all of my passwords to a Google-controlled server to check if they are secure? Hmm, I wonder what could go wrong with this plan.

Re:So, how does it work?

[Dynedain]

You could read the article or the original blog post:
https://security.googleblog.co...

Basically they hash your passwords locally, and compare the first few characters of the hash against the hashes in the database. If there are possible matches the full hashes are downloaded to your browser for further comparison.

Your full plaintext password and full hashed password are never set to Google.

There's a nice diagram on the blog post that explains everything at a fairly deep level.

Re:So, how does it work?

[sexconker]

They're probably stealing HIBP's work. https://haveibeenpwned.com/Pas...
Though they're also probably stealing your passwords. It is Google, after all.

HIBP maintains a DB of credentials they find exposed in dumps.
HIBP hashes them with SHA1.
HIBP provides an API.
You hash your password with SHA1.
You send the first 5 characters of that hash to HIBP's API.
HIBP looks up all of its SHA1 password hashes and finds all the ones starting with those 5 characters.
HIBP returns those matching hashes (excluding the first 5 characters, which you already know) and a count of how many times each was found in a dump.
You search through that list of SHA1 hashes and find the one that's a complete match.
You then know your password (or something that produces a SHA1 collision with it) has been exposed X times, or not at all.

Go to https://haveibeenpwned.com/Pas... and open your network console.
Put "sexy" in the field.
The SHA1 hash of "sexy" is BF5AFC18DFBCA6FF28E36AC47BDA8AB40D47C990.
Your browser sends a GET request for https://api.pwnedpasswords.com....
The response includes C18DFBCA6FF28E36AC47BDA8AB40D47C990:104937.

Passwords with a SHA1 hash of BF5AFC18DFBCA6FF28E36AC47BDA8AB40D47C990 (such as "sexy") have been found in credential dumps 104937 times.

If you don't trust HIBP with even a partial hash of your PW, you can download the 30+ GB text file and do it your damned self. Or use a program locally. Several password managers offer functionality (natively or via plugins) for this.