A new Google tool tells you if your password is unsafe
During its incessant web crawling, Google's search engine constantly encounters credentials dumped by hackers or left exposed by the careless. And because it can, the ad confectionery copies and encrypts these spilled usernames and passwords.
Armed with this info, the Chocolate Factory directed its software engineers, in conjunction with crypto boffins from Stanford University, to create a Chrome browser extension called Password Checkup that allows Chrome users to check to see whether their passwords can be found online.
The hope is that users thus warned will get the hint and change the compromised secret.
Mozilla's rival browser Firefox implemented a similar service last year called Firefox Monitor that checks a third-party database of exposed credentials called HaveIBeenPwned.com. Users of password management app 1Password also have access to an extension that checks stored credentials against exposed ones using the same service.
Google's Password Checkup extension takes a similar approach with its internal dataset of 4bn identifiers.
Your password is safe - trust us
Members of Google's security and anti-abuse research team – Jennifer Pullman, Kurt Thomas, and Elie Bursztein – claim that "Google never learns your username or password" even though it collects the data.
"At a high level, Password Checkup needs to query Google about the breach status of a username and password without revealing the information queried," the trio explain in a blog post today. "At the same time, we need to ensure that no information about other unsafe usernames or passwords leaks in the process, and that brute force guessing is not an option."
The company's supposed ignorance of these secrets arises from repeated hashing and privacy techniques like single-party private information retrieval (PIR) and 1-out-of-N oblivious transfer.
Google hashes found usernames and passwords with the Argon2 hash, storing first two bytes of the hash an index for lookups, and then encoding the hash with elliptic curve encryption.
Password Checkup can thus subject user credentials to the same encoding process and then query Google's database of unsafe passwords for match candidates using the two-byte index. Google returns the set of encrypted hashes that share that anonymous prefix to be compared on the user's local machine to the encrypted hash of the user's current username and password. A match means it's time to come up with a new password.
Pullman, Thomas and Bursztein say that this is the first version of Password Checkup and that they expect to refine it over time. They may have to if the Chromium team's proposed Manifest v3 changes to the Chrome Extensions platform go ahead: the extension relies on the webRequest API that slated for future renovation.
In terms of privacy permissions, the extension can read and change site data on all websites. If that's a concern, consider DuckDuckGo and the Tor Browser.
In a Twitter chat with The Register, Troy Hunt, the security researcher who created HaveIBeenPwned (HIBP), expressed support for Google’s similar service.
“I think anything that drives people away from the behavior that is password reuse is a very positive thing and on that front, I’m glad they’ve done it,” he said.
“It certainly doesn’t bother me that they’re doing a similar thing to HIBP’s Pwned Passwords, it’s a completely free service with the same objectives they have anyway.”
He said he wasn’t familiar enough with the workings of Google’s system to evaluate its privacy implications. “I believe it’s similar to the model Cloudflare came up with for HIBP which is really solid privacy wise,” he said.
“Of course, being Google people will always assume they’re trying to siphon up all the data, hopefully that’s not something that’s actually happening in any fashion that would impact privacy.”
Industry: Cyber Security News
- M&E Project Manager
- £35,000 - £65,000 + Bonus + Benefits
M&E Project Manager with a Data centre / Construction / Mission Crticial background is needed in London area to join a leading Data Centre business. The M&E Project Manager MUST have experience working in data centre or mission critical project environments for a minimum of 2 years The M&E Project Manager will be responsible for planning, controlling and coordinating the delivery of various construction and business as usual projects. Ensuring work keeps to deadlines and within cost parameters. You will be responsible for overseeing projects worth over £5 million from start to finish, managing suppliers and contractors. This is an excellent opportunity for someone looking to build a career working for an internationally recoginised brand who truely belive in staff development and progression. Reference Number: PG7448
- Marketing Specialist
- £35k - £37k + Bonus + Excellent Benefits
My client, a leading name in the IT industry, are seeking a Marketing Specialist to join their team. This is an excellent role for someone looking to develop themselves in a diverse role with resposnbilites and authority with the real chance to make change and have an effect on a global business. Required Experience: 5+ Years in Marketing + Public Relations Experience organising and running campaigns and events. Content Creation - Social Media, Website and Blogs Email Campaigns A degree in Marketing, Business admin or related subject Marketing qualification, ideally CIM. IT / Telecoms Background prefered but not essential. Reference: PG7447
- ServiceNow Administrator (Contract)
- £350 Per Day
We are currently working on behalf of a London based service provider who are on the look out for a ServiceNow Administrator for a 6 month initial contract The ServiceNow Administrator will be responsible for supporting, configuring, scripting & integrating the ServiceNow ITSM (IT Service Management) tool. Requirements Current ServiceNow ITSM (IT Service Management) experience is a MUST Current experience within an IT service provider A Certified ServiceNow System Administrator certification isn’t a must be extremely beneficial Day Rate: £350 Per Day Reference Number: BD7439a
- Cyber Security Sales
- £120,000 – £140,000 OTE
£120k - £140k OTE Sales Account Management / New Business in the London / Reading area. This opportunity comes with existing accounts with internal sales support. MUST have the ability to develop New business as well as help existing accounts. Experience selling Solution and Managed service experience preferred e.g. Check Point, Palo Alto, F5, etc. Must be UK based and ideally able to achieve SC clearance DCL Search & Selection Exclusive and looking to hire ASAP. Contact me for more info 07884666351 / chris.holt@DCLSearch.com Reference Number: CH7444