Google's new Chrome extension warns you about stolen passwords

The Password Checkup lets you know if the username and password you're using have been nabbed by hackers in the past.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read

Google is releasing a new Chrome extension that could make account takeovers harder for hackers.

The Password Checkup tool, which the tech giant released on Tuesday, warns you if the username and password that you're using were stolen in any data breaches. It then prompts you to change them if they were.

Even data breaches from more than a decade ago can still hurt victims if they haven't changed their passwords. Consider this: A collection of 2.2 billion stolen credentials, dating as far back as 2008, continues to float around in hacker forums. Cybercriminals count on you being lazy.

For context, hackers could take over 2.2 million accounts if just one-tenth of 1 percent of the passwords in that massive leak haven't been updated.

Google's own database of collected credentials from public breaches contains over 4 billion usernames and passwords, said Kurt Thomas, a research scientist at Google.

The company has used that database for the last five years to protect Google users who could be affected by third-party breaches. More than 110 million accounts were kept safe through this measure, Thomas said.

"Without this safety measure, you're about 10 times more likely to fall victim to an account takeover," he said.

Google's Chrome dominates the browser market, accounting for 62 percent of website usage today, according to analytics firm StatCounter.

The Chrome extension is similar to what Nest , a smart home company that Google owns, does for its users.

Nest monitors publicly leaked password databases and checks its own databases for matches. If a user's email and password for outside services are involved, Nest sends an alert requesting the person to change passwords -- even if the company's own data wasn't affected by the breach.

Google isn't the only company that does this. Facebook's security team also monitors public breaches. So does Netflix's.

This prevents hackers from being able to reuse passwords stolen from one service on another website. Hackers often employ this tactic to take over accounts, given how many people are likely to use the same password again and again. In a survey by Google and Harris Poll of 3,000 adults in the US, for instance, 65 percent of respondents said they reuse a password across multiple accounts. (Even so, about 60 percent of respondents say they have "too many passwords to remember," according to the survey.)

In 2016, hackers said they were able to access Facebook CEO Mark Zuckerberg's Twitter account by using his LinkedIn password, which was stolen in a 2012 breach.

Google's new tool doesn't save or view your passwords to match it with its database of hijacked credentials, according to Google.

The 4 billion credentials in Google's database are hashed and encrypted, and so are the passwords and usernames a person would type in to compare using the Chrome extension. It uses a cryptography technique called "blinding" so Google can compare your passwords without ever needing to view them.

Hacks happen almost daily, but you're not expected to check every day to see if your account information was leaked in a breach. People simply have a hard time staying on top of security-related matters. Up to 69 percent of respondents to Google's survey said they were excellent at protecting their own accounts, yet only 32 percent even knew what phishing and two-factor authentication are. 

Password Checkup is designed to fill that security gap by automatically checking and warning people if they could be impacted by a potential hack.

"We felt this was important and tried to do this as a community service and help our users everywhere," said Elie Bursztein, Google' anti-abuse research team lead.

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night. 

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.