[DO IT NOW] Google Password Checkup

Category: Privacy

A new Chrome browser extension from Google will alert you if the username and password you are about to enter on a website have been compromised. The Password Checkup extension checks your credentials against a database of four billion login credentials that Google knows have been compromised. I recommend that you give it a try, read on to learn the details...

What is the Password Checkup Extension?

Password Checkup is an optional add-on for the Google Chrome browser that helps you identify online accounts that have been affected by data breaches. If you're not familiar with the term, a data breach occurs when hackers break into a poorly secured website, and steal personal information stored there. Unfortunately, this happens with alarming regularity, and can impact tens of millions of users, revealing some combination of names, addresses, phone numbers, social security numbers, birth dates, driver's license data, and of course usernames and passwords. That data is bundled up and sold on various black markets online.

Dashlane, which offers a popular password manager, published a list of the 20 Biggest Data Breaches of 2018. Among them are Marriot (500 million records including names, addresses, phone numbers, email addresses, passport numbers, and dates of birth); Exactis (340 million records including names, addresses, email addresses, phone numbers, and other personal information such as habits, hobbies, and the number, ages, and genders of the person’s children; and Twitter (330 million plain-text passwords). Going back to 2017, there was the horrific Equifax breach which affected 143 million Americans, and included names, social security numbers, birthdates, addresses and, in some instances, driver’s license numbers and credit card numbers. And those are just the highlights. If you've done business with Uber, Verizon, Under Armour, Panera Bread, T-Mobile, Saks, or Lord and Taylor, your personal information may be "out there".

Wherever you sign-in, if you enter a username and password that is no longer safe due to appearing in a data breach known to Google, you’ll receive an alert. Please reset your password. If you use the same username and password for any other accounts, please reset your password there as well.

Google Chrome Password Checker

If you get an alert, you should change your password right away, even though password resets are complicated and time-consuming. When it’s time to choose a new password, let Chrome suggest a strong one; right-click while your cursor is in the password box and select “Suggest strong password” at the top of the context menu. If you choose to use the suggested password, Chrome will enter it and save it to your passwords list.

It’s not clear where Google got its four billion compromised credentials. The company says that it has reset over 110 million Google account passwords in the past two years; presumably, those compromised passwords are in the database. Google doesn't say where the rest come from or how quickly they are added to the database. But my guess is that they keep tabs on the major data breaches and incorporate that information into their service.

Password Checkup addresses the problem of password re-use. If you follow the best practice of using a unique password on every site, you only have to reset one site’s password if your password is compromised. But if you have re-used a password on multiple sites, you probably don’t recall which ones need to be reset. Password Checkup will alert you each time you try to use compromised credentials. So it is of great use in plugging the very common password re-use vulnerability.

Google is not the first to market with a password checker. For nearly a year, the 1Password password manager has integrated with Troy Hunt’s Pwned Passwords database, which currently contains about half a billion compromised credentials.

You can visit Have I Been Pwned? (HIBP) and enter your email address to see if it may have been compromised. The site was created by security expert Troy Hunt, as a free resource for anyone to quickly assess if they may have been put at risk due to an online account surfacing in a data breach. Read the HIBP privacy page for more information about the data they store, where it comes from, and why it's safe to use this website.

Unlike Google, 1Password downloads all of the compromised credentials to each user’s machine. While this avoids uploading a user’s credentials to 1Password’s server, it puts an ever-growing burden on the user’s computing resources. Google, instead, works in the cloud with encrypted copies of user data, so Google never knows what the user’s credentials are. Google’s password manager is free, while 1Password costs about $3 per month for a single user.

Google addresses the privacy issue of Password Checker thusly: "Password Checkup was built with privacy in mind. It never reports any identifying information about your accounts, passwords, or device. We do report anonymous information about the number of lookups that surface an unsafe credential, whether an alert leads to a password change, and the domain involved for improving site coverage." You can learn more about how Password Checkup works.

This is the first public release of Password Checkup; even Google admits there’s room for improvement in the future. Making it work with more log-in screen formats is a high priority. I would like the extension to check all of my saved passwords in one batch and show me which ones need to be changed. Some automation of tedious password-reset routines would also be very welcome.

But what would really make my day is the elimination of passwords altogether. I long for the day when biometric or hardware key security becomes the universal norm. Then we will have much less to remember, maintain, and worry about. A lot of progress has been made on the mobile device side, with fingerprint, voice and face identification options. I also wrote about hardware security keys in my recent article Are You Ready for Hardware Security Keys?.

Have you checked to see if your email addresses and/or passwords have been compromised? Your thoughts on this topic are welcome. Post your comment or question below…

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 8 Feb 2019

For Fun: Buy Bob a Snickers.

Prev Article:
Geekly Update - 07 February 2019

The Top Twenty
Next Article:
[LEGAL?] Digital Snitching On Police

Most recent comments on "[DO IT NOW] Google Password Checkup"

(See all 21 comments for this article.)

Posted by:

08 Feb 2019

I agree, I use Chrome as little as possible and Google is the LAST enterprise I'd trust with passwords or anything else, I won't even use their search engine. I have a password manager that takes care of those issues for me already, I pay for that and have used it for three plus years now with no issues at all. I don't need, and won't accept Google's "help" with anything.

Posted by:

Michael Fallin
08 Feb 2019

Aside from 2-factor authentication, or using a hardware key, What else can be done when your email address has been pawned?
Using a good password manager like Norton's Password Dashboard will tell you when you have duplicates or weak passwords. I'm uncomfortable having Google memorize my passwords anyway. That's why you use a password manager, right?
Knowing where it is compromised might prove useful.

Posted by:

08 Feb 2019

@Michael Fallin

Check out "disposable email addresses"

These can be used and deleted on your schedule for whatever reason.

If you are alerted to a hack or one suddenly started to be used by another entity messaging you you'll know it was "sold" and you can delete it.

Bob has written an article here:

Posted by:

Kenneth Heikkila
08 Feb 2019

I use Dashlane, but it doesn't make it easy to change passwords and doesn't work on many sites at all. I* will definitely add the Google Password Checkup to my Chrome browser, but I have mostly switched to Vivaldi because Chrome doesn't play nice with my banking sites. I was switching back and forth to do banking and everyday surfing, but that was too much of a hassle.
I wonder if Vivaldi can use the Password Checkup since it is built on the Chromium platform?

Posted by:

08 Feb 2019

I trust anything from Google about as far as I can spit upwind in a Class 5 hurricane.

Posted by:

08 Feb 2019

It does work on Chrome, but I tried to add it to Opera (vpn), a browser based on Chrome, and I cannot find it. I also use another Chrome based browser, Vivaldi, and I'd guess it will not show up on their list either, or be available in the Chrome Web Store for it.

Posted by:

08 Feb 2019

Google 'bad'....1PASSWORD 'good'

Posted by:

08 Feb 2019

I love google. I have absolutely no reason/s not to trust fully. I've used google for as long as I have had the internet and google has all of my information and passwords. I have never had an issue with google's safety or password compromise issues.
I really do not understand how or why some people don't appreciate it.
I haven't checked out this "password checkup" app as of yet because I wanted to make sure I had plenty of time to sit down and work with it. I have planned to do that this weekend.
Do I use the same password everywhere ? No, however I do have the same password/s used on more than one site and still no issues.
So Friday is here and Saturday I sit down with google, a thumb drive and a notepad and do the work.
I don't really see the necessity for doing this and haven't in the past, but I know it's just a matter of time, so I'll do the cautious thing.

By the way. IMHO those who have been compromised are usually the same ones who do not practice safe internet and are also the ones who keep getting viruses from questionable websites.

Posted by:

08 Feb 2019

@Fred - People who have had passwords stolen as a result of a data breach had no control over it.

Posted by:

carol s
08 Feb 2019

goog cannot be trusted ! you are kidding in thinking so, right? you can't read? blaming victims of data breaches for the fallout is rude or ignorant.. take your pick...

Posted by:

Jay R
08 Feb 2019

I just read someone mentioning safe internet practices. Is that just like safe sex?

Posted by:

08 Feb 2019

"By the way. IMHO those who have been compromised are usually the same ones who do not practice safe internet and are also the ones who keep getting viruses from questionable websites."

@Fred - You are correct about most people do not protect themselves properly. However, what Bob is talking about and Google's program is all about ... going to websites that have been compromised. This is a big difference than not protecting oneself.

A Data Breach is when a Website or Company have been Hacked and Data was taken from their Databases. This Data can be passwords, email addresses, financial information, Identity Theft and many, many other pieces of Data.

For example - I have had my Visa Debit Card changed 3 different times ... Due to Visa's Database being hacked into ... I was not the cause of Database Hacking ... I was a victim of a company that doesn't keep their own security safe and sound.

This has been happening for a couple of decades now. It is a major problem and it is called a "Cyber Crime." As technology grows, becoming more and more complex ... So does Hacking!

As for Google's Password Checkup ... This is an Extension/program showing which Websites are compromised. I am going to try it out, just for interest sake. Remember, this is to look and see if the Website is compromised ... Not by you, but the Website itself.

Posted by:

09 Feb 2019

Another great heads-up - thanks Bob. I have downloaded the Chrome PW Checkup and will see how it goes. I use ONE password for accounts of little consequence and DIFFERENT passwords for other accounts. Lastpass stores my passwords very well, generates new ones for me, and also works with my Yubikey. A total key solution would be wonderful. If my ONE password gets knocked off, I just change it progressively. I also have a throw-away email account for dubious signups etc. If compromised, I can give it the flick.

Posted by:

John Doe
09 Feb 2019

and then Chrome and Google have access to all your passwords. And google is so trustworthy!

EDITOR'S NOTE: Can you provide an example of Google breaching the privacy of an individual?

Posted by:

top squirrel
09 Feb 2019

I clicked the link and learned that one account had been compromised. However, the alleged breach occurred in 2012 and I had changed the password sometime after 2012. I also do not know which site was breached. And therefore I do not know if it is worth changing my password. You don't want to punish a faithful dog just because somebody says he told somebody your email, and it is not clear which password you were using at the time. My latest password is strong and easy for me to remember. I would hate to have to change it without good cause.
That spammers have my email address is obvious. I get a lot of mail from presumed young ladies eager to have sex with me who include attachments that presumably are revealing graphics. I delete them unopened (the emails, not the young ladies).

Posted by:

09 Feb 2019

So you give away your password to someone that will "check" if it is safe? Really how stupid are people, you NEVER give away your password to anyone!

EDITOR'S NOTE: That's not what is happening here...

Posted by:

11 Feb 2019

Troy Hunt's Have I Been Pwned site is the source behind the Google Extension. You can go direct to HIBP or to Firefox Monitor for checking email address hacks and signing up for notifications of future hacks. Also, Troy Hunt with the help of Cloudflare make the PasswordPwned List that Google is linked to. You can use the PPL site or you can follow a link to download the 550 million known passwords that have been "collected" (stolen in data breaches)and published on the Dark Web.
Google is not evil, but very thorough at collecting whatever private data you don't opt out of.

Posted by:

11 Feb 2019

Any email address that is in the HIBP site gives you clues as to when and where the account was breached. When in doubt change the password...
Unfortunately, really good secure passwords that have been harvested and added to the 550 million list are no longer safe to use.
Use a password manager like Lastpass(free and most popular)or1Password inexpensive and also popular.

Try the GRC/Haystack page to experiment with constructing passwords and seeing instantly why character length and character depth are important.

Posted by:

15 Feb 2019

There seems to be confusion in this article between the password I use to access my own email account and the password I use to register with a site using my email address as username.
Would you be so foolish as to use the same password for both?
I have received the odd blackmail email claiming that my email password has been hacked, but I know it is not true; even when the hacker seemed able to send me an email that purported to come from ... me!

Posted by:

18 Feb 2019

Just read the most recent reviews on this extension. No way to report bugs, wonky cookies, false positives, memory hog, etc. Think I'll pass on this recommendation.

There's more reader feedback... See all 21 comments for this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- [DO IT NOW] Google Password Checkup (Posted: 8 Feb 2019)
Source: https://askbobrankin.com/do_it_now_google_password_checkup.html
Copyright © 2005 - Bob Rankin - All Rights Reserved