Chrome’s Password Breach Check Feature
Google’s password check feature was originally only available to users as an extension to desktop versions of Chrome. However, this feature has now been fully integrated into the desktop and mobile versions of Chrome 79. This latest version of Chrome was released late last week. The feature compares credentials entered by users signing into websites to more than 4 billion credentials Google knows are unsafe. Then if a match is found, the user is warned and advised to change their login credentials.
How Does the Password Check Feature Work?
Google uses a technique called “private set intersection” to provide this new feature without having to send plain text passwords. This is a cryptographic technique that allows Google to compare users’ encrypted credentials against an encrypted database of breached credentials to find matches. The comparison occurs whilst the user’s credentials and the list of breached credentials remain private. Thus, both datasets are unable to be viewed even by Google itself. Google said its password check feature “never reports any identifying information about your accounts, passwords, or device.” It only reports “anonymous information about the number of lookups that surface an unsafe credential, whether an alert leads to a password change, and the domain involved for improving site coverage.”
Enabling Password Breach Notifications
The password check feature, however, only works for users who have their credentials saved in Chrome and have them synced to Google’s servers. The feature is aimed at more mainstream users who don’t usually consider password security. Google hopes that the feature will reduce the chances of accounts becoming compromised due to attacks such as password reuse attacks. Chrome 79 users can turn on the feature by enabling Password Protection from within Chrome Settings. Administrators are able to enable or disable this feature for their users’ company-wide using the PasswordLeakDetectionEnabled policy. If this policy is enabled or disabled, users cannot override it in Google Chrome. If this policy is unset, leak checking is allowed but can be turned off by the user.