In light of all the privacy landmines consumers have had to dance around in the past couple of years -- like the one in January that exposed 21 million passwords -- Chrome’s new extension could go far in giving consumers some much needed peace of mind.
The trigger is simple enough: when a user signs into a site, Chrome’s Password Checkup will scan its database of 4 billion data breaches to see if a username and password have been compromised. If the checker detects that a user’s credentials were exposed, Google will alert the user and suggest they reset their password, not only for that specific site but for anywhere the same username and password combinations are used.
“Password Checkup was built with privacy in mind,” writes Google in its overview of the extension. “It never reports any identifying information about your accounts, passwords, or device. We do report anonymous information about the number of lookups that surface an unsafe credential, whether an alert leads to a password change, and the domain involved for improving site coverage.”
Steps to take
Chrome’s privacy team says they were led by three guiding principles: alerts that are actionable, not informational; putting privacy privacy at the heart of its design; and advice that avoids fatigue.
To get there, Google’s developers worked to get the process whittled down to four easy steps:
Install the Password Extension on Chrome;
Check to make sure the Password Extension icon has appeared on your Chrome browser;
Monitor alerts whenever Chrome detects you’re using unsafe credentials; and
Change your credentials immediately when told that your password and username have been compromised.
“We designed Password Checkup to only alert you when all of the information necessary to access your account has fallen into the hands of an attacker,” Google promises. “We won’t bother you about outdated passwords you’ve already reset or merely weak passwords like “123456”. We only generate an alert when both your current username and password appear in a breach, as that poses the greatest risk.”
Google continues its privacy crusade
Ever since digital big leaguers like Facebook -- and even its own Google+ -- were hobbled by data privacy gaffes that exposed the personal data of its users, Google has been on a mission to make sure it covers his rear end the best it can.
In 2018, the company raised the bar on how secure it felt websites were, marking all non-HTTPS sites as “not secure” in its Chrome browser. Google also implemented a search settings upgrade that allows consumers to control what they’ve searched for, delete what they want, and change what they consider important and eyes-off in their Google account.
“Google helps keep your account safe from hijacking with a defense in depth strategy that spans prevention, detection, and mitigation,” blogged the company’s anti-abuse team.
“As part of this, we regularly reset the passwords of Google accounts affected by third-party data breaches in the event of password reuse. This strategy has helped us protect over 110 million users in the last two years alone. Without these safety measures, users would be at ten times the risk of account hijacking.”
Google wants consumers to realize that this is the company’s first attempt with the new extension and that there may be hiccups along the way.
“Since this is a first version, we will continue refining it over the coming months, including improving site compatibility and username and password field detection,” Google said.
You can learn more about how Password Checkup works at this link.