Stolen Password Check: Google’s Chrome extension arrives to find out if it’s compromised

With billions of compromised accounts around the web, it becomes increasingly difficult to make sure your accounts are secure. And just for this reason and on the occasion of Safer Internet Day, Google has released a new extension specifically for the Chrome browser that automatically and safely controls the credentials used on the websites verifying their presence in the leaked databases online. in these years.

The Google extension is called Password Checkup, and is already available for download right away. The ultimate goal is to check the security of any password entered in the browser, either manually entered or stored in the internal manager, and inform the user if there are any similarities with the entries in the database (protected by encryption) of Google that contains billions of compromised accounts.

The protocol used by the extension was presented as a standard for the secure control of account credentials, and the interface could be offered to third parties to expand the spread for the highest possible number of users.

We are obviously talking about a delicate operation that concerns extremely sensitive data. The Google security team has been providing password control for some time, but to date it has been limited to doing so for G Suite users only.

Doing the same for the credentials used on all the other services on the web is obviously a totally different matter, a subject in which the privacy aspect becomes extremely delicate on both sides. If, on the one hand, there are users who obviously do not want to offer their passwords in clear to Google, on the other hand, Google itself has a database of compromised accounts that does not want to share publicly.

Precisely to solve the problem at birth Password Checkup uses several procedures that make anonymous the data processed, in addition to the encryption necessary to protect any phase of data exchange between the browser and security services of Big G.

The extension also adopts a technique called ” blinding ” to create a secret search index with which to compare the information exchanged, and the credentials are rendered anonymous by an Argon2 hash function, which creates a search key for the Google database that is protected with elliptical cryptography.

Kurt Thomas of Google emphasized that ” from the user’s side, we get an index that only the user can know “, an index that is managed in ” hash ” format and with only partial coding of the information so as not to can be used in any way to recreate a full version of the login credentials.

The database used by Google contains data collected from password dumps that have ended up online or in underground markets, and currently consists of an amount of 4 billion compromised credentials constantly updated. And even the same destination of use of the database seems to be updating.

The company has declared that it is developing new possibilities of use, and that it is open to suggestions on how the database could be exploited. The same could be a valuable resource for security companies and search threats, in order to identify traces of critical accounts already compromised on third-party services.

At the moment, the company intends to give the people of the Internet a useful and simple tool to use – as well as completely transparent in operation – to understand if the time has come to change passwords or even deeply revolutionize the strategy used in use of online credentials.