Google's Password Checkup Will Alert If Your Password Was Breached

According to Harris Poil and Google’s survey released Wednesday, about 25% of US people are using simple passwords such as “123456,” “abc123,” and “Admin.” If you are using such simple passwords, Google now helps you will its Password Checkup tool, which has been added to its accounts management service.

The search giant said that this tool would be integrated into its Password Manager, and it will warn users of their passwords and usernames were hacked in data breaches. Back in February, Google initially launched the tool as an extension in Google Chrome.

According to Mark Risher, director of account security at Google, the extension was meant to be a default tool. When the company rolled out the extension in February, it aimed to experiment with the way of presenting this toll to the public, Risher explained, but the ultimate goal was bringing it to many people as it could. He stated:

Hackers have a special technique known as credential stuffing. As users tend to reuse their passwords for different accounts, hackers will try to enter those passwords, signing in the most accounts possible. For example, in 2012, your account information in a Yahoo breach was stolen. If you reused it, those credentials could be used by hackers to hack your Dunkin’ Donut account years later.

The survey results showed that 66 percent of respondents used one password for several accounts, making them targets for attacks. The new extension could notify users by automatically checking the credentials of users, finding out if their data were hacked. It is something that Google's Nest, Facebook, and Netflix also do.

As stated by Risher, for a month, approximately 10 million passwords were scanned, and over 1 million users have downloaded the extension since February. Blinding, a special cryptography technique, is used so that without viewing people’s data, Google can compare their passwords with a leaked password database in different public breaches.

Eight months ago, the search giant reported that it has 4 billion passwords and usernames in its database, which it gathered from public breaches. The database keeps growing as more breaches happen. Also, the credentials are encrypted and hashed.

Risher also said that during the first month of installing the extension, nearly 50% of users received at least an alert about their exposed passwords. He also added that Google Checkup helped to protect about 750,000 accounts. After having looked through 21 million logins last month, they had detected 316,000 passwords that were breached.

Google will add the Password Checkup too to its Password Manager, which means people don't have to download the extension. However, it will not be an automatic checkup, so users will have to use the tool each time they learn about a new breach.

This December, when the tool is integrated into Chrome, only when users sign in to accounts will the vulnerable password be flagged. The company may make the tool automatic in the future, Risher said.

When people see the advantages and understand how beneficial the tool is, the company will quickly develop the automatic mode.

Besides detecting breached passwords, reused or weak ones like “123456” will also be identified. Password Checkup will remind users to update vulnerable credentials as well as save different passwords to the Password Manager.

Password quality is measured base on the guidelines of the US National Institute of Standards and Technology. In the guidelines, a password should have eight characters in minium and users shouldn't use words that can be found in the dictionary. Risher said: