Two major browsers –Microsoft Edge and Google Chrome – are rolling out default features, which they say will better help notify users if their password has been compromised as part of a breach or database exposure.
Edge and Chrome’s moves signify a bigger push by browsers to solve the big “password problem” plaguing the security industry. Over the past two years, major browsers (including Mozilla Firefox) have launched built-in tools for helping users identify passwords that are increasingly wrapped up in data breaches – and easily change them.
Microsoft Password Monitor
Microsoft on Thursday said that its next version of Edge (version 88.0.705.50) will generate alerts if a user password is found in an online leak. The tool, called Password Monitor, will check users’ passwords against a data repository of known, breached credentials. If the passwords saved to the browser matches those on a list of leaked credentials, Password Monitor will send users alerts and prompt them to update their password.
“To ensure security and privacy, user passwords are hashed and encrypted when they’re checked against the database of leaked credentials,” said Microsoft.
In addition, Microsoft’s newest Edge version will include a built-in “strong password generator,” which it hopes will promote strong passwords for internet users who are signing up for a new account, or changing an existing password.
Security experts applauded the new measures. “By having the password management feature in the browsers look for compromised credentials, it allows the potential victim to change the password in other places before it impacts them,” Erich Kron, security awareness advocate at KnowBe4 told Threatpost. “Hopefully, it will also demonstrate to the individual the importance of not reusing passwords across multiple services.”
Google Chrome’s Latest Password Protections
Meanwhile, Google this week announced it will introducing new features that will consolidate its password protections – and make them for seamless for users – in Chrome 88 over the coming weeks. Chrome 88 will give allow users to launch a simple check to identify any weak passwords and “take action easily.” By navigating to the top of their browser and clicking on passwords and “Check Passwords,” users are able to easily check whether all of their passwords have been compromised in a breach – and on the same page edit their passwords to choose safer alternatives if need be.
Chrome already alerts users if their passwords have been compromised and prompts them to update – However, the idea here is to give users the ability to update multiple usernames and passwords easily all in one place.
“That’s why starting in Chrome 88, you can manage all of your passwords even faster and easier in Chrome Settings on desktop and iOS (Chrome’s Android app will be getting this feature soon, too),” said Google.
Chrome also provided an update on its existing password protection tools, including Safety Check, launched in 2020, which tells Chrome users if passwords they’ve asked the browser to remember have been compromised. Google said as a result of Safety Check it has seen a 37 percent reduction in compromised credentials stored in Chrome.
Password Health Continues to Fail
With data breaches continuing to hit companies, attackers are accessing credentials across the board. However, compromised data isn’t leading to actionable changes by consumers – in fact a 2020 survey found that half of respondents hadn’t changed their password in the last year – even after they heard about a data breach in the news. This “password problem” has challenged the security industry for years, with companies grappling with issues like poor password hygiene, password reuse or easy-to-guess passwords. Making matters worse, passwords are appearing left and right online as part of major data breaches – yet victims aren’t changing their passwords at all across various platforms. The Collection #1 data dump in 2019 for instance, which included 773 million credentials, and subsequent Collection #2-5 dumps, show exactly how many passwords are available on the Dark Web and underground forums.
“Password compromise is a huge ongoing issue leading to everything from data breaches to ransomware or other malware infections,” Kron said. “This in large part due to the practice of credential stuffing. This is where cybercriminals take known usernames and passwords from previous breaches and attempt to use them on other services. Knowing that people tend to reuse passwords across multiple services, they know the odds of success are worth the effort.”
Lamar Bailey, senior director of security research with Tripwire, said that passwords are “the Achilles heel of cybersecurity.”
“The vast majority of breaches start with stolen, weak or reused passwords,” Bailey said. “Our brains can’t keep up with a long list of passwords that map to all of the various sites, assets and services we access on a given day. Third-party password vaults… have become the de facto standard to solve this problem. With the latest update, Chrome and Edge will be competing with these third-party products by offering some of the same features.”
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!