Google will soon alert Chrome browser users of weak or compromised passwords. The checks will be in real time as Chrome users visit a password protected website. Bad passwords will trigger a red dialogue box alerting users to take action to better protect their account.
The move integrates a feature previously only available via a Google Chrome browser extension called Password Checkup. According to Andreas Tuerk, product manager for Google’s Password Manager, the password checking feature will be integrate into Google Accounts and no longer require the browser extension.
“Later this year, we’ll build Password Checkup technology directly into Chrome for everyone—so you get real time protection as you type your password without needing to install a separate extension,” Tuerk wrote in a post Wednesday.
Users who allow their Google Chrome browser to store passwords for sites will alerted. However, if a user declines to have the Chrome browser “save” their password for a specific site, there is no red flag that the password is weak or compromised when visiting the site.
The password checkup feature, first released as a Chrome extension in February, cross references user passwords with the 4 billion username and password combos that Google said it knows have been breached.
“Until passwords become a thing of the past (trust us, we’re working on it), there’s a simple and secure solution: use a password manager, like the one built into your Google Account and Google Chrome,” Tuerk wrote. “It generates strong, unique passwords for all your online accounts, auto-fills them as you sign in, and helps keep them safe in a central place.”
Not the First Password Alert Service
The big “password problem” has plagued the security industry for years. Poor password hygiene, including reusing passwords or picking easy-to-guess passwords, is greatly exacerbating many of the major issues that plague the cybersecurity landscape, researchers like Troy Hunt have said in the past.
To deal with this issue, Hunt six years ago launched a free service, Have I Been Pwned (HIBP) for consumers wanting to know if their user names and passwords have been compromised in a data breach (the site is currently for sale).
On the heels of this service, other browsers have sought to test and implement similar solutions, such as Mozilla’s Firefox Monitor, which leverages a partnership with Cloudflare and HIBP (Firefox Monitor relies on HIBP’s API endpoints) to create a HIBP clone – only bringing the service to a larger audience.
Similar to the existing function of HIBP, founded by security researcher Troy Hunt, Firefox Monitor allows users to enter their email addresses to check if they’re part of hacker databases that have been publicly released. Firefox Monitor users can see the details on sites and other sources of breaches and the types of personal data exposed in each breach, and receive recommendations on what to do in the case of a data breach. Mozilla said it is also considering a service to notify people when new breaches include their personal data.
The password protection alerts are necessary for users grappling to keep up with data breaches and other security concerns: According to Google, its password checkup extension was downloaded more than 1 million times when it was launched in February – and half of those users received a warning for a compromised password.
One of the biggest risks is credential stuffing, where cyberattackers use stolen passwords and user names from previous data breaches to brute-force accounts on a wide scale, and when a match is found, take over the victim’s account. This has recently seen in action in cyberattacks against State Farm and Dunkin Donuts.
Making matters worse, passwords are appearing left and right online as part of major data breaches – yet victims aren’t changing their passwords at all across various platforms. The Collection #1 data dump, which included 773 million credentials, and subsequent Collection #2-5 dumps, show exactly how many passwords are available on the Dark Web and underground forums.
Google Privacy Features
Google on Wednesday also announced a slew of new privacy controls across its products, including the launch of “Incognito Mode” in its Google Maps product – which means that users’ locations and activities won’t be saved to their Google Account and won’t be used to personalize their Maps experience.
Other new features include new privacy settings in Google Assistant, which comes after public outcry earlier this year around the company’s policies around audio collection and storage.
To access the feature users can go to Google Password Manager and click on the “Check Passwords” option. In the coming weeks, users will be able to delete Assistant activity from their Google Account.
“You won’t need to turn on any of these features—they will work automatically when you ask the Assistant for help,” said Eric Miraglia, director of Product Management for Google’s Privacy and Data Protection Office in a statement. “If you ask to delete more than a week’s worth of data from your account, the Assistant will point you directly to the page in your account settings to complete the deletion.”
What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.