A new Google tool tells you if your password is unsafe
During its incessant web crawling, Google's search engine constantly encounters credentials dumped by hackers or left exposed by the careless. And because it can, the ad confectionery copies and encrypts these spilled usernames and passwords.
Armed with this info, the Chocolate Factory directed its software engineers, in conjunction with crypto boffins from Stanford University, to create a Chrome browser extension called Password Checkup that allows Chrome users to check to see whether their passwords can be found online.
The hope is that users thus warned will get the hint and change the compromised secret.
Mozilla's rival browser Firefox implemented a similar service last year called Firefox Monitor that checks a third-party database of exposed credentials called HaveIBeenPwned.com. Users of password management app 1Password also have access to an extension that checks stored credentials against exposed ones using the same service.
Google's Password Checkup extension takes a similar approach with its internal dataset of 4bn identifiers.
Your password is safe - trust us
Members of Google's security and anti-abuse research team – Jennifer Pullman, Kurt Thomas, and Elie Bursztein – claim that "Google never learns your username or password" even though it collects the data.
"At a high level, Password Checkup needs to query Google about the breach status of a username and password without revealing the information queried," the trio explain in a blog post today. "At the same time, we need to ensure that no information about other unsafe usernames or passwords leaks in the process, and that brute force guessing is not an option."
The company's supposed ignorance of these secrets arises from repeated hashing and privacy techniques like single-party private information retrieval (PIR) and 1-out-of-N oblivious transfer.
Google hashes found usernames and passwords with the Argon2 hash, storing first two bytes of the hash an index for lookups, and then encoding the hash with elliptic curve encryption.
Password Checkup can thus subject user credentials to the same encoding process and then query Google's database of unsafe passwords for match candidates using the two-byte index. Google returns the set of encrypted hashes that share that anonymous prefix to be compared on the user's local machine to the encrypted hash of the user's current username and password. A match means it's time to come up with a new password.
Pullman, Thomas and Bursztein say that this is the first version of Password Checkup and that they expect to refine it over time. They may have to if the Chromium team's proposed Manifest v3 changes to the Chrome Extensions platform go ahead: the extension relies on the webRequest API that slated for future renovation.
In terms of privacy permissions, the extension can read and change site data on all websites. If that's a concern, consider DuckDuckGo and the Tor Browser.
In a Twitter chat with The Register, Troy Hunt, the security researcher who created HaveIBeenPwned (HIBP), expressed support for Google’s similar service.
“I think anything that drives people away from the behavior that is password reuse is a very positive thing and on that front, I’m glad they’ve done it,” he said.
“It certainly doesn’t bother me that they’re doing a similar thing to HIBP’s Pwned Passwords, it’s a completely free service with the same objectives they have anyway.”
He said he wasn’t familiar enough with the workings of Google’s system to evaluate its privacy implications. “I believe it’s similar to the model Cloudflare came up with for HIBP which is really solid privacy wise,” he said.
“Of course, being Google people will always assume they’re trying to siphon up all the data, hopefully that’s not something that’s actually happening in any fashion that would impact privacy.”
Industry: Cyber Security News
- Senior Identity and Access Management Consultant (IDAM)
- €70,000 - €85,000
(Security Consultant, Technical Consultant, Consultant, IDAM, CyberArk, RSA, Cyber, Security, Germany) Location: Frankfurt *Candidates must be EU based (Germany preferred) as our client are unable to provide sponsorship* Senior Identity and Access Management consultant (IDAM) subject matter expert is needed to lead and drive technical and or business transformation projects in a client facing position for a prestigious consultancy in Frankfurt, Germany. A broad technical knowledge across Identity and access management is essential. Technical hands-on experience with one or more of the following Ping, Forgerock, Cyberark, RSA Aveksa is highly desirable. A successful individual will be client facing and MUST be able to effectively engage, consult and provide advice to complex client engagements. The position will give the Senior Identity and Access Management consultant the opportunity to work with top tier clients with the view of making a meaningful strategic difference. If you are passionate about your industry and specialise in the IDAM space and are looking for a new challenge to step up, apply today and speak with the Security team. Call DCL Search & Selection on 0208 663 4030 and find out about more of our cybersecurity jobs. Reference: TC7528 (Security Consultant, Technical Consultant, Consultant, IDAM, CyberArk, RSA, Cyber, Security, Germany)
- Business Development Manager (IoT Connectivity Solutions)
- Up to €120,000 plus bonus and benefits
Experienced Business Development Manager is required for an expanding Service Provider to sell/position their IOT connectivity solutions into the Manufacturing Sector within the German market. This is a great opportunity to join a key player within this space, who have a number of successful projects for you to reference, they have the skills and the network but now needs the key person to help take the message to market You need to have proven sales experience within the mobile cellular IOT connectivity space and ideally knowledge of the manufacturing sector, this is a true consultancy role, you will be comfortable working with other sales team within the business but also able to directly approach key customers yourself. Great opportunity to join an expanding business as they grow their German Presence Ref: RA7259 (IoT Sales Jobs, IoT Sales, IoT Sales Executive, IoT Business Development Manager)
- Services Manager (Telecommunications)
- Up to £75,000 plus benefits and bonus
Service Manager with telecommunications experience is required for a tier 1 service provider. You will be responsible for managing a number of key global account, acting as the voice of the customer within the business. Your key objectives will include: Responsibility for overall service relationship with the customer To enhance the customer experience To protect and grow customer revenues You will be working within a global business where you will be managing different services from different parts of the globe and therefore must be able to demonstrate where you have ideally worked within a similar environment. You will be a key member of the service management team responsible for a number of key accounts. You must have experience as a Service Manager from either a telecom/telecommunications or hosting business dealing with services to corporate accounts, you will need to have knowledge around telecom/telecommunications solutions. Ref: RA7255
- Infrastructure / Forensic Lab Manager
- Up to £40,000 Base
Infrastructure / Lab Manager needed to join a consulting business near London Bridge. MUST be commutable on a daily basis. The Infrastructure / Forensic Lab Manager will be responsible for the upkeep, performance, security/patching etc of the hardware/software used by the consultants across the UK business. Broad IT experience covering both on-prem - Cloud (Azure) environments, Hyper V, Security Information and Event Management tools (such as SPLUNK). Specific experience with Forensic / eDiscovery Labs (Relativity / Nuix) is highly desirable. The Infrastructure / Forensic Lab manager will be a key hire within the technical team being the escalation point for any internal IT issues. Experience liaising with remote/international stakeholder is essential. All details kept in the strictest of confidence. Apply today and or contact Chris.Holt@dclsearch.com *For this position candidates must be UK based and our client is unable to sponsor candidates outside of the EU* Ref: CH7533 (Forensics Jobs, Digital Forensics Jobs, Forensics Lab Manager)