Chrome to Check Passwords Against Hacked Databases
Chrome may soon warn users if their passwords have been compromised. It works by checking inputted passwords against those exposed in public data breaches.
The feature is already available for Chrome from an official Google extension known as Password Checkup, but users need to actively install this extension to use it. Web browser Mozilla Firefox already has a similar feature built-in.
Now a similar feature named "password leak detection" has been spotted in the code of Chrome Canary. That's a version of Chrome that includes test features planned for release in the main Chrome edition in a future update. The Canary name comes from miners taking a bird underground, the idea being that they would pass out or die from any gas leak and act as a warning before the humans suffered the same effects.
Feature Currently At 'Experiment' Stage
The new feature is very much at the testing stage as even within the Canary edition, it isn't enabled by default. Instead, users must manually switch it on in a section marked "Experiments." (Source: techdows.com)
The feature kicks in whenever a user enters a password on a website, whether by manually typing it or using a stored password. Chrome then checks the password against a database of publicly leaked passwords that have been exposed by hackers.
If there's a match, the user sees a pop-up message reading "Chrome found this password on a public list of unsaved passwords that were part of a data breach." It suggests the user review their password and also offers a randomly generated password to use in its place. (Source: express.co.uk)
Reused Passwords Could Be Caught
In some cases they'll be left to do this manually. In other cases, Chrome will redirect the user to the relevant page on the website in question for changing password details.
The feature only looks for the password on leaked lists rather than trying to match it to a specific site. The idea isn't solely to prevent a compromised account of the site the user is visiting right now, but rather to also look for cases where people reuse the same passwords.
That's because of the risk that when a site's password database is exposed, hackers will take a user's login details from that site and try it on other popular websites to see if they've reused it.
What's Your Opinion?
Would you find this feature useful? Should it be enabled by default or kept as an optional extra? Is there a risk that the people who most need such warnings will be more likely to ignore them?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.
Comments
Password Checkup
cannot locate this extension in Chrome on my desktop ?
Password Checkup
@trbruce 9594: You can add the Chrome Password Checkup extension from here:
https://chrome.google.com/webstore/detail/password-checkup-extensio/pncabnpcffmalkkjpajodfhijclecjno
Password Check Up
Thanks, wonder why it was so hidden, all that would come up when I typed in Password Checkup was Dashlane Password Manager.
Helpful?
doesn't his make the hackers job a little easier to test whether a password is used more than once? if I am a hacker and I find juliusceasar as a password for a site, can't I just then input juliusceasar and Chrome will tell me if it is used on more than one site? or is there a method to verify the input is by the actual user who has used it? for example, I need a sign-in and password to get a transmission quote. when I create that account with juliusceasar as the password, which I found via a hack, will Chrome give me a notice that that password is unique or that it has been used on various bank account ids?
Leaked lists
The warning will come from Chrome if it detects a password that is on a leaked password list. In other words, the password list is public knowledge and the hackers already have the list. Chrome is simply making the user aware if that particular password has been previously used in a leaked list. The idea is that it will prevent users from using passwords that have already proven to be compromised (regardless of user name).