Google Can Now Tell You If Your Password Was in a Data Breach
A new tool provides actionable alerts for users who try log in to a site with unsafe credentials.
Google has rolled out two new features to help users better protect their data across the internet.
A trio of researchers from Google’s Security and Anti-abuse research team, Jennifer Pullman, Kurt Thomas, and Elie Bursztein, broke down the features on Tuesday.
One of them, a Chrome browser extension named Password Checkup, developed with the help of cryptography experts at Stanford University, helps notify users if a password they've entered appears to been compromised in a data breach. The extension is currently available on the Chrome Web Store.
On the surface it's fairly straightforward: upon entering an insecure password the extension prompts the user to change their password. After a user has changed their password - or if none of their passwords appear to be impacted by a breach - the extension informs users they're protected.
Going deeper, on a more granular level, it’s extremely technical and involves a lot of cryptography. Google takes a hashed and encrypted copy of a user’s data, something it refers to as an anonymous hash prefix, then checks it against an encrypted database of every username and password that shares that anonymous prefix.
Google claims that during the process it doesn't actually learn usernames, passwords, or what device a user is on. The extension manages, through "multiple rounds of hashing, k-anonymity, private information retrieval, and blinding" to comb through 4 billion records to determine whether a username or password has been exposed by a breach.
K-anonymity is a privacy model typically employed in big data scenarios designed to protect the privacy of data subjects in datasets. Blinding, cryptographically speaking, prevents side-channel attacks by ensuring a service doesn't know either the real input or the real output of functions.
The extension comes a few months after Firefox rolled out a similar tool, Firefox Monitor, to help its users check their email addresses against known breaches. Users can also sign up to get alerts if their information has been stolen. The service is powered by Troy Hunt's Have I Been Pwned, a go-to website since its inception for individuals concerned about their data being compromised in breaches.
In the event a user has their Google account hijacked, the second feature Google unveiled Tuesday, Cross Account Protection, helps extend protections to other apps and sites that use Google Sign In. Going forward, the feature will share the fact that a security event happened, whether a user has had their account hijacked or there's been suspicious activity, explicitly with apps the victim has signed into with Google.
Google says it worked with experts from Adobe, Internet Engineering Task Force (IETF) and OpenID Foundation on the feature and that developers can start depoying it today.