The Password Checkup tool, which the tech giant released on Tuesday, warns you if the username and password that you’re using were stolen in any data breaches. It then prompts you to change them if they were.
Even data breaches from more than a decade ago can still hurt victims if they haven’t changed their passwords. Consider this: A collection of 2.2 billion stolen credentials, dating as far back as 2008, continues to float around in hacker forums. Cybercriminals count on you being lazy.
For context, hackers could take over 2.2 million accounts if just one-tenth of 1 per cent of the passwords in that massive leak haven’t been updated.
Google’s own database of collected credentials from public breaches contains over 4 billion usernames and passwords, said Kurt Thomas, a research scientist at Google.
The company has used that database for the last five years to protect Google users who could be affected by third-party breaches. More than 110 million accounts were kept safe through this measure, Thomas said.
“Without this safety measure, you’re about 10 times more likely to fall victim to an account takeover,” he said.
Google’s Chrome dominates the browser market, accounting for 62 percent of website usage today, according to analytics firm StatCounter.
The Chrome extension is similar to what Nest, a smart home company that Google owns, does for its users.
Nest monitors publicly leaked password databases and checks its own databases for matches. If a user’s email and password for outside services are involved, Nest sends an alert requesting the person to change passwords — even if the company’s own data wasn’t affected by the breach.
Google isn’t the only company that does this. Facebook’s security team also monitors public breaches. So does Netflix’s.
This prevents hackers from being able to reuse passwords stolen from one service on another website. Hackers often employ this tactic to take over accounts, given how many people are likely to use the same password again and again. In a survey by Google and Harris Poll of 3,000 adults in the US, for instance, 65 percent of respondents said they reuse a password across multiple accounts. (Even so, about 60 percent of respondents say they have “too many passwords to remember,” according to the survey.)
In 2016, hackers said they were able to access Facebook CEO Mark Zuckerberg’s Twitter account by using his LinkedIn password, which was stolen in a 2012 breach.
Google’s new tool doesn’t save or view your passwords to match it with its database of hijacked credentials, according to Google.
The 4 billion credentials in Google’s database are hashed and encrypted, and so are the passwords and usernames a person would type in to compare using the Chrome extension. It uses a cryptography technique called “blinding” so Google can compare your passwords without ever needing to view them.
Hacks happen almost daily, but you’re not expected to check every day to see if your account information was leaked in a breach. People simply have a hard time staying on top of security-related matters. Up to 69 percent of respondents to Google’s survey said they were excellent at protecting their own accounts, yet only 32 percent even knew what phishing and two-factor authentication are.
Password Checkup is designed to fill that security gap by automatically checking and warning people if they could be impacted by a potential hack.
“We felt this was important and tried to do this as a community service and help our users everywhere,” said Elie Bursztein, Google’ anti-abuse research team lead.