Google to Tell Users if Passwords Hacked

John Lister's picture

Google has launched a new tool to make it easier to know if a password has been hacked. But the way it works has raised some questions.

The tool is called "Password Checkup" and is an extension for the Chrome web browser. It's designed to deal with details that are known to be part of a security breach, rather than offering more general advice such as using long passwords.

If a user installs Password Checkup, Google will run a check whenever they log in to any site (not just ones Google operates). If it matches any entries on a database of known breaches, Chrome will display a warning message encouraging the user to reset their login details on the site in question.

Risk Of Brute Force Attack

Unlike some similar tools, the tool only looks for breaches that contain the specific combination of username/email address and password. Some other services will carry out one search for the username or email and then another search for the password.

Google's approach does have some benefits because it overcomes the problem that, frankly speaking, any username or email address has probably been involved in at least one security breach at some point. That fact isn't necessarily of any significance or pose a security threat for the particular site the user is visiting right now.

According to Paul Wagenseil of Tom's Guide, the downside to the "Password Checkup" tool is that it can be reverse engineered. For example, hackers may might attempt a dictionary attack on Google's databases with username / password combinations, which would then reveal information about a particular user. That would be a major security problem if it was successful. (Source: tomsguide.com)

Google Details Security Measures

For its part, Google says it has designed the system "to prevent an attacker from abusing Password Checkup to reveal unsafe usernames and passwords."

It says the key is to make sure the tool can "query Google about the breach status of a username and password without revealing the information queried." To do this, it uses "rounds of hashing, k-anonymity, private information retrieval, and a technique called blinding." (Source: googleblog.com)

In simpler terms, what Google is doing is a little like the riddle about getting a chicken, a fox and a bag of grain across the river. The relevant data goes back and forth between the user's computer and Google's servers in a somewhat convoluted sequence of encryption, decryption and re-encryption. The idea is that if anyone intercepts or access any of the data without permission, they won't be unable to make any sense of it.

What's Your Opinion?

Will you use this tool? How useful would you find it? Do you have any security concerns about using it?

Rate this article: 
Average: 5 (10 votes)

Comments

jomar's picture

Google wants to know everything about it's users. Why?
I do not feel this is good. Why does a service provider or a search engine need to know everything about it's users? What if "google checkup"gets hacked??

ehowland's picture

Google (etc.) already know too much. Having them more involved.

I use a (paid) password manager (concerns abound on a "free" service). If THAT password manager had a tool like talked above I MIGHT consider it, but having google in the middle, no way and "logging in" using Fakebook or some other account is also not good IMO.

grahroll_4889's picture

https://haveibeenpwned.com/ is a site that allows you to see if your email address has been compromised in any breaches or used in lists sold on the internet. It really is just a check and as noted in the article above your email addresses have likely been compromised at some time.

As a start point of at least getting people to more regularly change passwords for sites it seems to me to be of some help. You can register your email addresses at the site and if future breaches involving those addresses occur you are given an email advice.

There are some other searches available including against some 551,509,767 passwords already pawned, on the site and there is an api available if you wish to use it in a extension or similar to get info from the site's database.