Chrome to Check Passwords Against Hacked Databases

John Lister's picture

Chrome may soon warn users if their passwords have been compromised. It works by checking inputted passwords against those exposed in public data breaches.

The feature is already available for Chrome from an official Google extension known as Password Checkup, but users need to actively install this extension to use it. Web browser Mozilla Firefox already has a similar feature built-in.

Now a similar feature named "password leak detection" has been spotted in the code of Chrome Canary. That's a version of Chrome that includes test features planned for release in the main Chrome edition in a future update. The Canary name comes from miners taking a bird underground, the idea being that they would pass out or die from any gas leak and act as a warning before the humans suffered the same effects.

Feature Currently At 'Experiment' Stage

The new feature is very much at the testing stage as even within the Canary edition, it isn't enabled by default. Instead, users must manually switch it on in a section marked "Experiments." (Source: techdows.com)

The feature kicks in whenever a user enters a password on a website, whether by manually typing it or using a stored password. Chrome then checks the password against a database of publicly leaked passwords that have been exposed by hackers.

If there's a match, the user sees a pop-up message reading "Chrome found this password on a public list of unsaved passwords that were part of a data breach." It suggests the user review their password and also offers a randomly generated password to use in its place. (Source: express.co.uk)

Reused Passwords Could Be Caught

In some cases they'll be left to do this manually. In other cases, Chrome will redirect the user to the relevant page on the website in question for changing password details.

The feature only looks for the password on leaked lists rather than trying to match it to a specific site. The idea isn't solely to prevent a compromised account of the site the user is visiting right now, but rather to also look for cases where people reuse the same passwords.

That's because of the risk that when a site's password database is exposed, hackers will take a user's login details from that site and try it on other popular websites to see if they've reused it.

What's Your Opinion?

Would you find this feature useful? Should it be enabled by default or kept as an optional extra? Is there a risk that the people who most need such warnings will be more likely to ignore them?

Rate this article: 
Average: 5 (7 votes)

Comments

trbruce_9594's picture

cannot locate this extension in Chrome on my desktop ?

Stuart Berg's picture

@trbruce 9594: You can add the Chrome Password Checkup extension from here:
https://chrome.google.com/webstore/detail/password-checkup-extensio/pncabnpcffmalkkjpajodfhijclecjno

trbruce_9594's picture

Thanks, wonder why it was so hidden, all that would come up when I typed in Password Checkup was Dashlane Password Manager.

russoule's picture

doesn't his make the hackers job a little easier to test whether a password is used more than once? if I am a hacker and I find juliusceasar as a password for a site, can't I just then input juliusceasar and Chrome will tell me if it is used on more than one site? or is there a method to verify the input is by the actual user who has used it? for example, I need a sign-in and password to get a transmission quote. when I create that account with juliusceasar as the password, which I found via a hack, will Chrome give me a notice that that password is unique or that it has been used on various bank account ids?

Dennis Faas's picture

The warning will come from Chrome if it detects a password that is on a leaked password list. In other words, the password list is public knowledge and the hackers already have the list. Chrome is simply making the user aware if that particular password has been previously used in a leaked list. The idea is that it will prevent users from using passwords that have already proven to be compromised (regardless of user name).