A new Google tool tells you if your password is unsafe
During its incessant web crawling, Google's search engine constantly encounters credentials dumped by hackers or left exposed by the careless. And because it can, the ad confectionery copies and encrypts these spilled usernames and passwords.
Armed with this info, the Chocolate Factory directed its software engineers, in conjunction with crypto boffins from Stanford University, to create a Chrome browser extension called Password Checkup that allows Chrome users to check to see whether their passwords can be found online.
The hope is that users thus warned will get the hint and change the compromised secret.
Mozilla's rival browser Firefox implemented a similar service last year called Firefox Monitor that checks a third-party database of exposed credentials called HaveIBeenPwned.com. Users of password management app 1Password also have access to an extension that checks stored credentials against exposed ones using the same service.
Google's Password Checkup extension takes a similar approach with its internal dataset of 4bn identifiers.
Your password is safe - trust us
Members of Google's security and anti-abuse research team – Jennifer Pullman, Kurt Thomas, and Elie Bursztein – claim that "Google never learns your username or password" even though it collects the data.
"At a high level, Password Checkup needs to query Google about the breach status of a username and password without revealing the information queried," the trio explain in a blog post today. "At the same time, we need to ensure that no information about other unsafe usernames or passwords leaks in the process, and that brute force guessing is not an option."
The company's supposed ignorance of these secrets arises from repeated hashing and privacy techniques like single-party private information retrieval (PIR) and 1-out-of-N oblivious transfer.
Google hashes found usernames and passwords with the Argon2 hash, storing first two bytes of the hash an index for lookups, and then encoding the hash with elliptic curve encryption.
Password Checkup can thus subject user credentials to the same encoding process and then query Google's database of unsafe passwords for match candidates using the two-byte index. Google returns the set of encrypted hashes that share that anonymous prefix to be compared on the user's local machine to the encrypted hash of the user's current username and password. A match means it's time to come up with a new password.
Pullman, Thomas and Bursztein say that this is the first version of Password Checkup and that they expect to refine it over time. They may have to if the Chromium team's proposed Manifest v3 changes to the Chrome Extensions platform go ahead: the extension relies on the webRequest API that slated for future renovation.
In terms of privacy permissions, the extension can read and change site data on all websites. If that's a concern, consider DuckDuckGo and the Tor Browser.
In a Twitter chat with The Register, Troy Hunt, the security researcher who created HaveIBeenPwned (HIBP), expressed support for Google’s similar service.
“I think anything that drives people away from the behavior that is password reuse is a very positive thing and on that front, I’m glad they’ve done it,” he said.
“It certainly doesn’t bother me that they’re doing a similar thing to HIBP’s Pwned Passwords, it’s a completely free service with the same objectives they have anyway.”
He said he wasn’t familiar enough with the workings of Google’s system to evaluate its privacy implications. “I believe it’s similar to the model Cloudflare came up with for HIBP which is really solid privacy wise,” he said.
“Of course, being Google people will always assume they’re trying to siphon up all the data, hopefully that’s not something that’s actually happening in any fashion that would impact privacy.”
source theregister
Industry: Cyber Security News
Latest Jobs
-
- Technical Pre Sales Cybersecurity Consultant. Healthcare
- England
- N/A
-
Technical Pre Sales Cybersecurity Consultant UK Remote | Healthcare Focus Overview We are seeking an experienced Technical Pre Sales Cybersecurity Consultant to support healthcare organisations by delivering advisory, solution design, and security uplift services. This role focuses on improving security outcomes, addressing operational challenges, and enabling informed technology decisions across complex and regulated environments. The position blends technical pre sales expertise with a consultative approach, working closely with clinical, technical, and commercial stakeholders to shape effective cybersecurity solutions. The individual must be able to achieve UK Security Clearance. Key Responsibilities Provide technical pre sales support across cybersecurity solutions and services for healthcare organisations Engage stakeholders to understand security challenges, risks, and operational pain points Deliver advisory guidance and recommendations to strengthen security posture and resilience Translate customer requirements into clear, outcome focused technical and commercial solution designs Act as a trusted technical advisor throughout the sales and early delivery lifecycle Produce clear technical documentation, recommendations, and customer facing materials suitable for regulated environments Collaborate closely with sales, delivery, and technical teams to align solutions with customer needs Experience and Skills Proven experience in technical pre sales or cybersecurity consultancy Experience working within healthcare or other highly regulated sectors Broad knowledge of cybersecurity technologies, managed services, and risk based approaches Strong communication skills with the ability to engage both technical and non technical stakeholders Confident operating in a client facing, consultative role UK based role with remote working Occasional travel for customer engagement as required
-
- Contract Technical Pre Sales Cyber Security Healthcare. SC clearance needed
- England
- Outside IR35
-
Contract Technical Pre Sales Cyber Security Healthcare Outside IR35 Contract | UK Remote | Healthcare Focus Existing SC clearance is required. Overview Seeking an experienced Technical Pre Sales Cybersecurity Consultant is required to deliver advisory and uplift services across complex healthcare organisations. This Outside IR35 contract operates on a consultancy basis, focused on improving security outcomes, addressing operational pain points, and supporting informed Cyber Security decisions. The role combines deep technical pre sales capability with consultative advisory delivery, working across clinical, technical, and commercial stakeholders to shape effective and proportionate cybersecurity solutions. Responsibilities Provide technical pre sales consultancy across cybersecurity solutions and services within healthcare environments Engage senior stakeholders to understand security challenges, risks, and operational pain points Deliver advisory guidance and uplift recommendations to improve security posture, resilience, and maturity Translate healthcare requirements into clear, outcome focused technical and commercial propositions Act as a trusted technical advisor throughout the pre sales and early engagement lifecycle Produce concise technical documentation, recommendations, and advisory outputs suitable for regulated healthcare settings Experience Strong background in technical pre sales or cybersecurity consultancy Experience working with healthcare or other highly regulated environments Broad understanding of cybersecurity technologies, managed services, and risk based security approaches Ability to communicate complex technical concepts to both technical and non technical audiences Comfortable operating independently in a client facing advisory role
-
- London Sales Manager, Key Clients. Security. Immediate
- London
- N/A
-
London Sales Manager, Key Clients A senior sales leadership role within the cyber security services and technology market, focused on account development and revenue growth across key clients. You will lead a sales team with responsibility for customer retention, increasing share of wallet and maintaining a strong commercial pipeline. The role works closely with technical, delivery and marketing teams, as well as technology partners. Key focus Lead and coach a field based sales team Own forecasting, pipeline quality and revenue delivery Drive renewals and account development Expand customer investment across services and solutions Build relationships with vendors and partners Background Proven experience managing enterprise sales teams Consistent performance against revenue targets Cyber or IT security sales leadership experience Exposure to Palo Alto, Check Point, Microsoft, etc Commercially focused with a structured sales approach A role for a sales leader focused on long term client value and sustainable growth.
-
- Outside IR35 Functional tester - London - Security Cleared
- London
- Outside IR35
-
Outside IR35 Functional tester - London - Security Cleared Willing to undergo DV Clearance 3 days a week onsite. (London) We are looking for a Functional Test Specialist to support a complex technology programme where accuracy and delivery assurance matter. Key Focus Validate application behaviour and run functional test scenarios Identify risk, defects, and delivery issues early Define practical test approaches and environment needs Produce automated checks where appropriate Work closely with technical teams to agree acceptance criteria Report clearly on outcomes, defects, and risks Experience Needed Strong Microsoft stack exposure Experience supporting server or infrastructure migrations Solid functional testing background Comfortable working remotely onsite (London 3 days a week) Linux or container exposure Jira / Wiki Restricted or isolated environments A hands on role for someone who values clarity, ownership, and quality.