A new Google tool tells you if your password is unsafe
During its incessant web crawling, Google's search engine constantly encounters credentials dumped by hackers or left exposed by the careless. And because it can, the ad confectionery copies and encrypts these spilled usernames and passwords.
Armed with this info, the Chocolate Factory directed its software engineers, in conjunction with crypto boffins from Stanford University, to create a Chrome browser extension called Password Checkup that allows Chrome users to check to see whether their passwords can be found online.
The hope is that users thus warned will get the hint and change the compromised secret.
Mozilla's rival browser Firefox implemented a similar service last year called Firefox Monitor that checks a third-party database of exposed credentials called HaveIBeenPwned.com. Users of password management app 1Password also have access to an extension that checks stored credentials against exposed ones using the same service.
Google's Password Checkup extension takes a similar approach with its internal dataset of 4bn identifiers.
Your password is safe - trust us
Members of Google's security and anti-abuse research team – Jennifer Pullman, Kurt Thomas, and Elie Bursztein – claim that "Google never learns your username or password" even though it collects the data.
"At a high level, Password Checkup needs to query Google about the breach status of a username and password without revealing the information queried," the trio explain in a blog post today. "At the same time, we need to ensure that no information about other unsafe usernames or passwords leaks in the process, and that brute force guessing is not an option."
The company's supposed ignorance of these secrets arises from repeated hashing and privacy techniques like single-party private information retrieval (PIR) and 1-out-of-N oblivious transfer.
Google hashes found usernames and passwords with the Argon2 hash, storing first two bytes of the hash an index for lookups, and then encoding the hash with elliptic curve encryption.
Password Checkup can thus subject user credentials to the same encoding process and then query Google's database of unsafe passwords for match candidates using the two-byte index. Google returns the set of encrypted hashes that share that anonymous prefix to be compared on the user's local machine to the encrypted hash of the user's current username and password. A match means it's time to come up with a new password.
Pullman, Thomas and Bursztein say that this is the first version of Password Checkup and that they expect to refine it over time. They may have to if the Chromium team's proposed Manifest v3 changes to the Chrome Extensions platform go ahead: the extension relies on the webRequest API that slated for future renovation.
In terms of privacy permissions, the extension can read and change site data on all websites. If that's a concern, consider DuckDuckGo and the Tor Browser.
In a Twitter chat with The Register, Troy Hunt, the security researcher who created HaveIBeenPwned (HIBP), expressed support for Google’s similar service.
“I think anything that drives people away from the behavior that is password reuse is a very positive thing and on that front, I’m glad they’ve done it,” he said.
“It certainly doesn’t bother me that they’re doing a similar thing to HIBP’s Pwned Passwords, it’s a completely free service with the same objectives they have anyway.”
He said he wasn’t familiar enough with the workings of Google’s system to evaluate its privacy implications. “I believe it’s similar to the model Cloudflare came up with for HIBP which is really solid privacy wise,” he said.
“Of course, being Google people will always assume they’re trying to siphon up all the data, hopefully that’s not something that’s actually happening in any fashion that would impact privacy.”
Industry: Cyber Security News
- Enterprise Business Development Director
- Up to £80,000 + Uncapped OTE
Our client, a Global Managed Service Provider, is seeking an Enterprise Business Development Director who will be responsible for scoping, identifying, creating and driving revenue growth across Europe and Asia at C level in the enterprise market. The Enterprise Business Development Director will need: Experienced in selling high value (multimillion) Managed Services and SDWAN to large enterprise parties· Have the ability to scope, identify and sell high value and complex managed solutions Extensive experience of commercial principles and contract negotiations with new global clients. Consistency of tenure in current and recent job roles Managing presentations, negotiations, and responsible for development/nurturing of the client relationship. Reference Number: BD7371
- Technical Design Authority (Telecoms, SDWAN, IOT, WAN, Hosted Services)
- Up to €90,000 plus car, bonus and benefits
Location: Frankfurt Technical design Authority is required to help lead a number of key client Migrations projects for this tier 1 Telecom company, the main role for the TDA is helping customers migrate to new services, with a focusing on hosting (AWS, Azure) SWWAN and IOT. You will be responsible for: Post sales design documentation, implementation and migration of complex solutions for managed enterprise customers. Complex solutions consist of multi-product services. The TDA’s role is to ensure that these services interoperate and integrate into the customer environment. Such products consist of but not limited to MPLS, Ethernet, IPSec VPN’s, VoIP, Video Conferencing, Wireless, Internet, Private DSL, WAN Optimization, Managed Security Services, Managed Hosting, SDWAN and Complex Migration Planning. The TDA will own the technical delivery of customer solutions and will be the technical interface between the customer, product teams and project management during service delivery. Close engagement with pre-sales, technically validating solutions proposed are deliverable and all technical aspects are clearly defined prior to contract signature. The TDA accepts technical ownership of the solution at the point of contract signature. Lead customer facing technical workshops requiring excellent communication with the ability to articulate technical concepts clearly to all levels of competency. Providing support to 3rd line teams for OEM and design related faults. You will need to be at CCIE level (ideally CCIE R&S or SP ) with strong low level design and deployment skills, comfortable in front of customers and leading customer meeting. Fluent German is required. Knowledge in SDWAN and Hosted services would be advantageous. Reference: RA7302
- Big Data Architect
- £70,000 + Benefits
A Big Data Architect is required for a leading Google Cloud partner. The Big Data Architect will be responsible for advising external customers(FTSE100) on Big data storage and transformation requirements on the Google Cloud platform. You will get the chance to be at the forefront of technology, regularly involved with Google Alpha tests – You will be shaping the future of google tech. Experience required; Public Cloud Architecture – Ideally Google but will consider people with an Azure or AWS background who are looking to move into GCP. Experience with Big Enterprise Data – Set ups, Flows, Pipelines etc. Strong SQL understanding – DataBase, Data Residency. Candidates must be based and eligible to work in the UK without sponsorship as our client do not have the ability to sponsor. Reference Number: PG7347
- NetIQ Consultant (Contract)
- £600 Per Day
A NetIQ Consultant is needed for a 6 month engagement in London. The NetIQ Consultant will be responsible for Designing, Configuring & Implementing Micro Focus Operations Centre & eDirectory Solutions. Required skills and experience Current experience with Micro Focus Operations Centre & eDirectory. SC Clearance is needed due to the nature of work. Reference Number: CH7363