At the beginning of the year Google launched an extension for Chrome called Google Password Chekup, its function is to carry out proactive and silent checks to alert us when our credentials are insecure, that is, Google verifies if your username or password has ever been exposed in a security breach and tells you if you should change them.
Now Google has decided to expand this tool and they are going to integrate it with their own password manager, that is, you can simply go to your page for managing the passwords that you have stored in Google so that one click inform you if your passwords have been exposed.
In Genbeta we spoke with Elie Bursztein, leader of Google’s fraud and abuse research and development team about this tool, how it works, its purpose and the benefits of using a password manager.
‘Sgroogled.com’: When MICROSOFT Launched ANTI-GOOGLE Ads
It’s not the same as ‘Have I Been Pwned’
At Genbeta we have talked a lot about Have I Been Pwned, a website that for several years has verified our credentials with a huge database of security breaches and tells us if our email or password has been compromised.
In fact, browsers like Firefox integrate it through Firefox Monitor to tell you if your data has been leaked or if a website you visit has suffered a data breach.
Google Password Chekup sounds similar, but as Elie explains, it works differently: “We review login and password in a way that preserves privacy, which means that we will never know anything about your username or password, for this we work with a university to build a privacy protection protocol “.
“We will never know anything about your username or password”
In addition to this, Bursztein explains that with the Google tool there is never a false positive, they are always 100% sure if your data has been compromised.
Bursztein believes that this offers value to the user because they do not tell you which of your accounts “could be compromised” but which ones are with certainty, that is, “hackers have them”.
The reason behind this project is that about four five years ago the company began to actively investigate the credentials of Google users who had leaked into data breaches and they found more than 100 million accounts.
This tool is for those who do not know or have the time to search for their data in those leaked databases to check if their credentials have been exposed.
Don’t use the same password everywhere
When asked about other methods that could replace passwords in the future, Elie told us that she doesn’t think it’s about changing from having passwords to having no passwords, believes that the most important thing is to start by using a password manager so as not to use the same password everywhere.
Only 20% of users use a password manager, so 8 out of 10 people generate passwords themselves and end up using the same one everywhere, when one is compromised they all compromise. The first step is to get people to start using a manager, and if we can then get them to use two-factor authentication even when a password is leaked, that other factor will be needed to be able to compromise their data.
For and against the use of password managers there are many arguments, but one that tends to stop some users is the fact that they depend on a master password, and if that is compromised then everything is compromised.
Elie understands that concern and is clear that it is a problem, she thinks that it is an exchange that people have to decide to do and that it compensates, no method is perfect, and the most ideal is to protect that master password very well by making it safe and using a service with good reputation:
“It’s not perfect, but it’s a good step. In the case of Google’s password manager, your passwords are protected by your Google account.”
Later this year Google Password Chekup will become part of Chrome also, so that they will offer real-time protection without the need for extensions.
For now, you can access g.co/securitycheckup and passwords.google.com to check your stored passwords and verify if they have been compromised in data breaches, if they are being used in different sites or even if they are very weak.