Even though passwords are fundamental for all our accounts’ security, they’re one of the main ways people get compromised. Google’s recent tool – the Password Checkup feature – will get a higher profile, since it’s going to join the Security Checkup dashboard built into all Google accounts.
Despite the fact that you can use a password manager to keep this kind of sensitive information, many people simply reuse the same password for multiple accounts. 52% of people, to be exact, according to a 2019 poll by Google, and 13% of people use one password for all of their accounts. At the same time, Microsoft stated last year that as many as 44 million Microsoft accounts used logins that had been leaked.
The main reason for reusing passwords is probably the fact that it’s difficult to remember a complex combination of letters, numbers, and symbols that we use as a password because we tend to think that no one will be able to guess it. However, precisely that in the practice is what puts your data at risk. If this reused password is leaked during a data breach, hackers will get access to many of your other online accounts, no guessing involved.
In fact, a research shows that people, whose data has been exposed in a data breach, are ten times more likely to be hacked than others.
Although over the past year, Google has worked in order to help people create better passwords using Password Checkup. The tool compares logins within a database of 4 billion credentials that have been leaked. It checks whether your password matches any of the others in the database. It was first launched in February last year as a Chrome extension.
It’s not a brand-new idea, still, the company is uniquely positioned to introduce something similar to Password Checkup. Google has access to billions of passwords; what is more, its ability to offer Password Checkup to billions of users so that it integrated with other account security tools, turns it into something that people rely on.
Letting Password Checkup flag hazarded credentials in a privacy-friendly way was a difficult technical problem, which was solved thanks to a combined effort from Google and Stanford. The main challenge was to understand how to automatically compare a user’s credentials to a database of logins and not to reveal that information to Google or let the user see the whole database.
With this in mind, Google filed a hashed and encrypted version of each identified username and password leaked in the data breach. Every time you log into your account, Google sends a hashed and encrypted version of this login info against the database. By doing so, Google doesn’t get your password, while you don’t see Google’s list of compromised logins. If there’s a match, Google shows an alert and recommends you to change the password.
The company receives those compromised logins from various sources including underground forums, password dumps are shared there. However, their ethical policy doesn’t let them pay criminals for stolen data, according to Kurt Thomas, a member of the anti-abuse and security research team at Google.
He also mentioned that developing the tool took 2-3 years. In the next few months, Google is going to have Security Checkup send you an email whenever a problem with a compromised login occurs. And later in 2020, Google intends to allow people to use the tool in Chrome even if they are logged out of their Google account.
Google isn’t alone in offering password-checking tools. Password manager 1Password gives recommendations to change vulnerable or duplicated passwords; it also offers Watchtower, a feature that compares your logins with everything in can find on Troy Hunt’s Have I Been Pwned database with more than 9 billion accounts find matches. Also, Apple announced recently that the next version of Safari will feature a password-monitoring tool that seems to be similar to Password Checkup.
However, Google still has a huge advantage because of helping people with their passwords on a massive scale. So, tools like Password Checkup as well as the built-in password manager lead step by step to making online security more reliable for users.