Chrome Now Warns You When Your Password Has Been Stolen

Google is rolling out Chrome 79, and it includes a number of password protection improvements. The Verge reports: The biggest addition is that Chrome will now warn you when your password has been stolen as part of a data breach. Google has been warning about reused passwords in a separate browser extension or in its password checkup tool, but the company is now baking this directly into Chrome to provide warnings as you log in to sites on the web.

You can control this new functionality in the sync settings in Chrome, and Google is using strongly hashed and encrypted copies of passwords to match them using multiple layers of encryption. This allows Google to securely match passwords using a technique called private set intersection with blinding. Alongside password warnings, Google is also improving its phishing protection with a real-time option. Google has been using a list of phishing sites that updates every 30 minutes, but the company found that fraudsters have been quickly switching domains or hiding from Google's crawlers. This new real-time protection should generate warnings for 30 percent more cases of phishing.

Google has all your passwords

[AK Marc]

So, Google has all your passwords anyway. So, comparing them to leaks published publicly, or publicized breaches is a great tool. Every password manager should do it.

I have reused passwords. My Slashdot password isn't "secure". Who cares if I lose my ID. It wouldn't be the first time, and isn't as low as my first was anyway. So I reused passwords for low-importance forum and support websites, and used unique and secure passwords for Google and bank sites.

So I'd probably get warnings for my reused ac

Re:

[110010001000]

I'll bet your password is "bakedalaska".

Re: Google has all your passwords

[slick7]

I'll bet your password is

Mine's bluewafflemaker.

Re:

[Sokaku]

The phishing e-mails on my junk e-mail account inform me when my junk service passwords are compromised. I apparently also have uploaded a lot of indecent photos of myself, so I really should look into that.

Re:

[gweihir]

Hehehehe. Unfortunately, I keep these emails because of just one Yahoo breach (account disabled years before that) and one empty password where I have no idea where they got that from. So not reliable, unfortunately.

Re:

[tinkerton]

I have those mails too! You should just upload indecent photos of yourself somewhere and tell them not to bother. At least that is what friendly people have advised me.
Nice of them to remind me of my password anyway.

Re:

[AmiMoJo]

It can't be done securely client side. If a database of passwords is distributed then they can be cracked offline. With a rate limited API at most you can slowly check if a bunch of passwords you already have were leaked at some point.

Re:

[AK Marc]

If they are peppered, salted, then hashed and you didn't get the salt and hash, then you can't crack them offline. The problem is when people cut corners.

Locally: Have I Been Pwned

[DrYak]

I'd rather see this implemented client-side,

That's approximately how Have I been Pwned does it.

You hash the password you want to check.
You take the first few bits of the hash.
You download chunks of verifications material that begin with the same first few bits.
Then locally, you go through these answers and see if the whole hash is actually in the list or not.

If I'm not mistaken, Firefox's own leak verification - Monitor - relies on Have I Been Pwned

Re:

[gbjbaanb]

FF's monitor just reports from elsewhere, and that generally doesn't care abotu passwords just email addresses that match the one you've asked it to monitor.

So some site gets hacked, they find out about it, and rather than waiting for the site to tell you they lost your passwords, now FF will tell you instead. Its possibly most useful for when a data aggregator gets hacked that you never knew had your details.

I think it uses Have I Been Pwned to search for registered emails.

Re:

[supremebob]

I tried out this feature, and what I found is that Chrome had a bunch of old, outdated, and just wrong passwords stored for a lot of my accounts.

All this "feature" really did for me is remind me that Google doesn't make a very good password manager.

Re:

[swillden]

I tried out this feature, and what I found is that Chrome had a bunch of old, outdated, and just wrong passwords stored for a lot of my accounts.

How did you manage that? When you log in with a new password, Chrome asks you if you'd like to update the saved password. Either you must have regularly told it no, or you've just been using a different browser. Which is fine, but you can't expect Chrome to keep an up-to-date list if you're changing the passwords through a different browser and not logging in using Chrome.

Re:

[supremebob]

Google's password manager seems to be pretty stupid. It occasionally tries to save temporary two factor authentication credentials as a password, and sometimes it doesn't prompt you at all to update your saved password when you change it.

Re:

[Jane Q. Public]

Firefox has been doing this for quite a while.

Successfully, I might add.

Re:

[AmiMoJo]

So, Google has all your passwords anyway.

No.

Google optionally lets you sync your passwords and you can set a password for that, which is used to encrypt your data so Google can't see it. This new feature doesn't send passwords to Google, it sends a hash.

For most people this is a massive security win. They are already sending their bad passwords to random web sites.

Why do you keep using bad passwords? All major browsers have a built-in strong password generator and manager so it's trivial to use better ones

Re:

[AK Marc]

Why do you keep using bad passwords?

Because if someone hacks my Slashdot account they get a $0 account. I'll keep Password123 for that, and be able to log into my forum sites without having to log into a password manager first. My bank has a unique strong password. My email (which can be used to recover a variety of passwords) has a unique strong password.

Sure, they can capture my Password123 from Ashley Madison and try that against PoF and OK Cupid and whatever else. If they get in, they get nothing of value. If they try against my ban

Second best

[TimothyHollins]

I'd be more interested in Chrome warning me when Google steals my personal information and browsing history.

Re:

[gweihir]

That one is simple: You can implement that with a post-it on your monitor telling you that Google does it.

Oh yeah, I don't see anyone abusing this feature

[Sokaku]

Yeah, so Google is going to start rehashing and sending my passwords through to additional endpoints to inspect/compare whether or not my credentials might be compromised. Thanks, but no thanks. If Google wants to do something good for the state of the Internet it should get RID of "remember my password". This, along with Microsoft's "hide file extensions for known file types" have to be the biggest culprits to the spread of phishing and malware attacks. People will "remember their passwords" a lot better

nagging you say your passsword is over used

[Joe_Dragon]

nagging you say your password is over used will just lead even more remember my password.

No Dumb rules and forced changing leads to passwords on post it's

Re:

[Trulak]

This is probably one of the dumbest password statements I've seen. I utilize "remember my password" all the time because I'm ALSO using "suggest password" in which Google provides a random (no lectures on how computers aren't really random please) string of characters that I'd never be able to remember. This ensures I have good, non-reused passwords for everything. Your comment shows hostility towards password managers which is sheer idiocy in today's world. Password managers are something EVERYONE should

So Chrome steals your passwords?

[gweihir]

And sends them to Google? Excellent! Never wonder whether your passwords were stolen, be sure they were! Also be sure that any cop, customs official, etc. has all your passwords!

Yeah, this was my first thought

[rsilvergun]

really looking forward to the first time a cop subpoena's Google to get one of those hashes and then uses it to crack open a phone. Yeah, I'm guessing Google doesn't have the raw password, but there is a _lot_ a bad actor with a subpoena could do with that data all the same.

Re:

[gweihir]

Indeed.

Re:

[AHuxley]

Yes a super international list of all in use passwords... ready for some NSA PRISM project...
Some super special dice and world list for creating creating passphrases?
That unique result is now sent up to an ad company and makes the ad company "reused" list?

Re:

[Ksevio]

No actually.

Chrome stores your passwords and then sends part of the hash to Google. Google then responds with some encrypted hashes of found stolen credentials and then Chrome can verify locally if yours is able to decrypt any of them.

Re:

[gweihir]

Still pretty bad. Oh, sure, if you have good passwords, this works. But these are far less likely to get stolen as well. For others, sending the hash to somebody with a really large database of stolen passwords and insane amounts of computing power is not really any different than sending the passwords in plain text.

Re:

[Ksevio]

It's also encrypted so Google isn't able to compare the hashes directly - they posted a fairly solid explanation a few months back: https://security.googleblog.co... [googleblog.com]

Re:

[gweihir]

That reference is buzzword-heavy, but what facts it has do not look that good.

On the very basis of it, there really is no choice though: They have to get your password hash to compare it. Sure, they can blind it a bit, but that is it. Easily reversed. Same with the account info. They do just get the prefix to Google in plain, but that still exposes you to within at most 2^16 entries. That is incredibly few if just some additional info is available (and Google has that from all the tracking they do...).

So, n

Re:

[gweihir]

But to be fair, as soon as you type a password into a web-browser, you have to assume the maker of that browser has it if they want it. They can always push an update that exposes you specifically and in this case, they probably can just be forced via an NSL or some economic threat (lots of government cloud contracts these days...) to do so.

Why would I let anyone have my passwords?

[Rick Schumann]

Seriously.

Re:

[Lennie]

People store their password in their browsers, it happens.

Wouldn't be surprised they would find out a leak by looking at the username first and looking at a hash of the password next.

I don't think Chrome would need to send the password to Google.

That's in theory.

Re:

[AHuxley]

Re "password in their browsers" that should only be used by the "site" requesting the pw and stay on the browser.
Not be uploaded to some ad company in bulk as part of using the "free" browser.

Re:

[Lennie]

My guess is they only upload the username.

Anyway... my guess is a lot of people 'sign in to Google Chrome' and upload all the stored passwords already.

Firefox

[Lennie]

So Chrome gains a Firefox feature ?:

https://www.theregister.co.uk/... [theregister.co.uk]

Re:Firefox

[scdeimos]

So Chrome gains a Firefox feature ?:

No, no it did not. Firefox implemented it properly through the secure password checking API at HIBP.

Google suffers from NIH syndrome, and they're evil, so they just implemented their own "secure" password checking scheme.

Re:

[Lennie]

Fine by me if that works, that would be great.

I would think 9 billion leaked password hashes or other numbers I've heard would take up some space.

Re:

[AmiMoJo]

You would be more upset if Google started sending hashes of your passwords to some random website. Not to mention that website getting rather annoyed at the vast amount of traffic to their API.

Of course they did it internally.

Your passwords *have* been stolen

[Rosco P. Coltrane]

by Google. How else would they know whether it has been stolen by somebody else?

One thing I've noticed about Chrome just recently

[kilodelta]

Is that it's absolutely denying access to sites that don't have complete certificate chains.