Google has released an optional extension for the Google Chrome browser that will trigger a visual warning if it identifies that you are using a username/password combination that it knows to be unsafe.
The Password Checkup Chrome extension registers the details as you enter your username and password on a website.
If it determines they have been exposed in a past data breach, even if that breach happened at a different website other than the one you are accessing, it displays an alert telling you to reset your password.
- Google says Password Checkup was built with privacy in mind and that it never reports any identifying information about your accounts, passwords or device.
- It won’t flag up weak passwords; rather it’s looking for the combination of a password and username that have been leaked in a data breach.
At first glance, Google’s Password Checkup extension appears similar to Mozilla’s Firefox Monitor tool that enables people to check if their accounts might be at risk when they visit sites that have previously been breached.
While ostensibly a practical tool that many might find useful it does raise questions:
- Because it actually examines your login credentials, that is, username, email address and password, how can you be sure this data won’t fall into the wrong hands?
- How many people feel comfortable knowing that a browser extension is scooping up your passwords, email address and user name? Will you feel comfortable that Google has done its job properly?
Google says that Password Checkup was designed jointly with cryptography experts at Stanford University to ensure that Google never learns your username or password, and that any data breach stays safe from wider exposure.
Browsers can be hacked
It’s worth noting that browsers can be hacked, potentially spilling out all the information stored in them. At one point browser hacked were relatively commonplace. Then they faded and now they are resurfacing again.
- Very recently a scam was detected which starts with a fake error message for the Google Chrome browser.
- Malicious code which underlies the fake error message then locks up the browser.
- After the malicious code locks the browser, the fake warning tries to trick a user into calling a number.
- If the number is called, a person posing as a company representative asks for sensitive personal or financial information to fix the bogus issue.
While this doesn’t relate directly to Google’s Password Checkup, unless the fraudster asks for usernames, email addresses and passwords, it does indicate that browsers are vulnerable to attack.
That said, Google is confident that even if data is hacked from a browser, the encryption is tough enough to stop attackers from gaining access to it.
As such Password Checkup could be useful to some internet users, but it’s not a replacement:
- For investing in a good password manager.
- Signing-up for a breach notification service such as HaveIBeenPwned.
Using comprehensive security software such as BullGuard Premium Protection
which safeguards all your personal data.