Google wants to warn you if you reuse passwords or create weak ones
"The state of passwords is so bad that we want to turn this on for every user across the internet."
Google's Password Checkup tool is designed to warn people if the passwords they use have been stolen in any data breaches.
Nearly a quarter of Americans use "Admin," "abc123" and "123456" as passwords, according to a survey released by Google and Harris Poll on Wednesday. If you're one of them, you could benefit from Password Checkup, a tool Google is folding into its accounts management service.
Google said it would integrate the tool, which is designed to warn people if their usernames and passwords were stolen in data breaches, into its Password Manager on Wednesday. Password Checkup was first released as a Google Chrome extension in February.
The plan was always to add the extension as a default tool, said Google's director of account security, Mark Risher. He explained that the extension released in February was a way to experiment with how to present the tool to the public, but the long-term goal was to get Password Checkup to as many people as possible.
"The state of passwords is so bad that we want to turn this on for every user across the internet," Risher said.
Read more: The best password managers for 2019 and how to use them
Hackers count on people reusing the same passwords across multiple accounts, and they try to use them to access as many accounts as possible, a technique called credential stuffing. So if your username and password were stolen in a Yahoo breach in 2012, and you hadn't ever changed them, hackers might have tried to use those credentials to, say, take over your Dunkin' Donuts account in 2018.
The Google-Harris Poll survey found that 66% of respondents used the same passwords for multiple accounts, leaving them vulnerable to potential attacks. The Password Checkup extension would notify people by automatically checking if a person's credentials were exposed in other hacks, something that Google's smart home unit, Nest, also does, as do Netflix and Facebook.
In the last eight months, more than 1 million people downloaded Google's extension, and it scans about 10 million passwords a month, Risher said. The company uses a cryptography technique called blinding so it can compare your passwords with a database of passwords leaked in public breaches, without viewing them.
In February, Google said it has a database of 4 billion usernames and passwords collected from public breaches. That database continues to grow as more breaches happen. Those credentials are also hashed and encrypted.
About half the people using the extension had at least one alert about an exposed password within the first month of installing it, Risher said.
"In the last month, we scanned 21 million logins, and we detected 316,000 breached passwords," he said. The tool protected at least 750,000 accounts, Risher added.
Now people won't have to download an extension for the security notification. The Password Checkup tool will be added to Google's Password Manager, and checks all your saved passwords for security issues, the company said.
The Password Checkup tool is set to come to Chrome browsers in December.
It won't be an automatic checkup -- so you'll still have to use the tool every time a new breach is announced. When it's integrated into Chrome browsers in December, it'll flag vulnerable passwords only when you sign in to accounts. Risher said Google could have Password Checkup be an automatic tool in the future.
"As users see more benefits, we can certainly explore the more automatic approach," he said. "If we can get people really understanding why this is beneficial for them, and how it works, that'll help us move more quickly to that automatic mode."
In addition to identifying passwords that were compromised in breaches, Google will also point out passwords that are being reused and weak passwords such as "123456." The tool will prompt people to update risky credentials and save new passwords to Google's Password Manager.
Risher said Google measures password quality through the US National Institute of Standards and Technology's password guidelines, which recommend a minimum of eight characters and restrictions against words found in the dictionary.
"We're super confident that this is beneficial and makes people more secure," Risher said.