Google’s password checking feature has slowly been spreading across the Google ecosystem this past year. It started as the “Password Checkup” extension for desktop versions of Chrome, which would audit individual passwords when you entered them, and several months later it was integrated into every Google account as an on-demand audit you can run on all your saved passwords. Now, instead of a Chrome extension, Password Checkup is being integrated into the desktop and mobile versions of Chrome 79.
All of these Password Checkup features work for people who have their username and password combos saved in Chrome and have them synced to Google’s servers. Google figures that since it has a big (encrypted) database of all your passwords, it might as well compare them against a 4-billion-strong public list of compromised usernames and passwords that have been exposed in innumerable security breaches over the years. Any time Google hits a match, it notifies you that a specific set of credentials is public and unsafe and that you should probably change the password.
The whole point of this is security, so Google is doing all of this by comparing your encrypted credentials with an encrypted list of compromised credentials. Chrome first sends an encrypted, 3-byte hash of your username to Google, where it is compared to Google’s list of compromised usernames. If there’s a match, your local computer is sent a database of every potentially matching username and password in the bad credentials list, encrypted with a key from Google. You then get a copy of your passwords encrypted with two keys—one is your usual private key, and the other is the same key used for Google’s bad credentials list. On your local computer, Password Checkup removes the only key it is able to decrypt, your private key, leaving your Google-key-encrypted username and password, which can be compared to the Google-key-encrypted database of bad credentials. Google says this technique, called “private set intersection,” means you don’t get to see Google’s list of bad credentials, and Google doesn’t get to learn your credentials, but the two can be compared for matches.
Building Password Checkup into Chrome should make password auditing more mainstream. Only the most security-conscious people would seek out and install the Chrome extension or perform the full password audit at passwords.google.com, and these people probably have better password hygiene to begin with. Building the feature into Chrome will put it in front of more mainstream users who don’t usually consider password security, which are exactly the kind of people who need this sort of thing. This is also the first time password checkup has been available on mobile, since mobile Chrome still doesn’t support extensions (Google plz).
Google says, “For now, we’re gradually rolling this out for everyone signed in to Chrome as a part of our Safe Browsing protections.” Users can control the feature in the “Sync and Google Services” section of Chrome Settings, and if you’re not signed into Chrome, and not syncing your data with Google’s servers, the feature won’t work.
With Password Checkup being integrated into Chrome, the extension is not really useful anymore. The Web version is still great as a full password audit for all your passwords stored by Google, and now the version built into Chrome will continually check your passwords as you enter them.