To mark Safer Internet Day on February 5th 2019, Google released a new password checking plugin for its popular Chrome browser. It might sound boring but it could be vital in alerting you to compromised accounts.
The Password Checkup Chrome Extension monitors your credentials, and if you attempt to sign in using compromised data, you receive a warning advising you to change your password.
Does Google send my password to a third-party server then?
Rest assured that Google has worked with cryptography specialists at Stanford University to ensure that only you know the user-name and password combination the plugin is warning about. The credentials are encrypted before they leave your computer and, using strong cryptography algorithms, can be checked against the database of over four billion leaked credentials without further propagating the information, thus ensuring that breached data cannot be spread any further afield. For more information, consult Google’s Security Blog post about the plugin.
At any time you wish, you can clear the plugin’s stored data relating to unsafe passwords and any accounts you have flagged as exceptions. Any analytic data reported by the plugin is completely anonymous. These metrics include information on whether you responded to the alert by changing the password (though not what either the new or old passwords were), the number of look-ups before an unsafe credential is surfaced and information about the web domain that triggered the alert.
Can it tell me if personal data has been leaked?
The plugin is only designed to check username/password combinations. If credentials have been leaked, it can be difficult to know if personal data has been exposed, and if it has, re-securing that type of data can be extremely difficult. The best protection you can give yourself is to change your password as soon as the alert comes up, change your password on any accounts that share those credentials and keep a close eye on your accounts for suspicious activity.
Types of activity that could indicate you’ve been hacked include posts appearing that you don’t recall making, unusual social media “friends” responding to messages, bounce messages for emails to out-of-date contacts, and purchases or transfers of funds occurring without your knowledge. Always alert the account provider as soon as you have any doubts about your account, to ensure suspicious activities can be stopped, and any damage to your reputation minimised.
Will I get alerted every time I log into an account?
The plugin is designed to sit in the background and will only alert you if sufficient credentials have been leaked to allow access to your account. Accounts with old passwords or weak passwords won’t trigger an alert. Only accounts that have been fully compromised – with both user-name and password falling into the hands of hackers – will trigger an alert.
What else can I do to secure my accounts?
The simplest way to keep accounts secure is to change your password regularly, using a long string containing a combination of letters, numbers and other characters. It is best if you can commit your password to memory, although it can be a good idea to keep a paper copy in a safe to avoid issues should you forget it.
Where offered by account providers you should take advantage of two-factor authentication. Typically, this involves registering a phone number to which a validation code can be communicated when you log in to the account. Even if the user-name and password are leaked, hackers will need access to your phone to retrieve the code, which is unique to each login attempt.