Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Chrome IT Technology

Chrome Can Tell You if Your Passwords Have Been Compromised (engadget.com) 90

An anonymous reader shares a report: Given the frequency of hacks and data leaks these days, chances are good at least one of your passwords has been released to the wild. A new Chrome extension released by Google today makes it a little easier to stay on top of that: Once installed, Password Checkup will simply sit in your Chrome browser and alert you if you enter a username / password combination that Google "knows to be unsafe." The company says it has a database of 4 billion credentials that have been compromised in various data breaches that it can check against. When the extension detects an insecure password, it'll prompt you with a big red dialog box to immediately update your info. It's handy, but users might wonder exactly what Google can see -- to that end, Google says that the extension "never reveal[s] this personal information."
This discussion has been archived. No new comments can be posted.

Chrome Can Tell You if Your Passwords Have Been Compromised

Comments Filter:
  • Old Solution (Score:3, Interesting)

    by Anonymous Coward on Tuesday February 05, 2019 @01:09PM (#58074214)

    The correct way to go about it would be to advise users if their password is on known data breaches whether it is associated with the username or not. Otherwise this extension could be used to mine credentials out of whatever database google is using.

    • The correct way to go about it would be to advise users if their password is on known data breaches whether it is associated with the username or not. Otherwise this extension could be used to mine credentials out of whatever database google is using.

      Indeed; I don't want to give Chrome my username or credentials. Granted, it could scrape my username when I log in places, but I'm assuming that is too low, even for Google.

      • Re:Old Solution (Score:4, Informative)

        by sabri ( 584428 ) on Tuesday February 05, 2019 @02:11PM (#58074588)
        Why link to Engadget when you can link to the actual article itself? https://security.googleblog.co... [googleblog.com]

        Must be kickbacks to msmash.
      • > I don't want to give Chrome my username or credentials.
        Then don't use Chrome. Google is a surveillance-and-marketting company, and you have absolutely no idea what their browser might be doing behind the scenes.

        As it is though, there's no particular reason to believe Chrome is sending your username and password anywhere but to the website you intended - that would be a liability nightmare, and I'm not seeing any profit to be made. The proper way to do this would be to generate an irreversible hash of

    • >Otherwise this extension could be used to mine credentials out of whatever database google is using.

      Except that the database is of credentials already known to be compromised - there's no need to "mine" them, just go download the same publicly available databases of compromised credentials that Google did.

      It would likely be good to also let people know if their password alone is compromised - but given the difficulty of composing a short, memorable password, the answer for most people most of the time w

  • by Anonymous Coward on Tuesday February 05, 2019 @01:10PM (#58074220)

    How does it work? Does it keep a local database of 4 billion compromised credentials and checks against them? Or, let me guess, it uploads all of my passwords to a Google-controlled server to check if they are secure? Hmm, I wonder what could go wrong with this plan.

    • I guess you could just download them by login name. And then match it locally. Still bad, but not as bad as sending up your credentials to Google and trust they will be doing the right thing with them.

      Of course... I wonder if you could use it to gain access to someone elses account who has been hacked... Still a bad idea.

    • It could just upload a hash of your password... but even so I would not want my username going up with even just a hash to anywhere but where I am logging in.

      • More likely it uploads a hash of your combined username+password. After all, there's nothing to be gained by sending the username in plain text.

        • That seems like a good idea, although the full statement is there is nothing to be gained by YOU sending the username in plain text...

          I still would be uncomfortable even with that though, because in theory someone could brute-force reverse the hash and then they would have both things.

          • I figured there's nothing to be gained by *them* by collecting it. They already get to watch everything you do on the website in question, how are they going to profit from storing your log-in credentials as well? I mean sure, "all surveillance data is good data", but in this case exposing it, or even collecting it without your permission, might put them in some legal hot water. What's the payoff to justify the risk?

    • by darkain ( 749283 )

      they are called hashes, and have been used forever. google doesn't need to store user passwords in their database or transmit them over the wire at all. google simply stores a hash of the username+password combination. when you enter credentials, that same hash is generated locally, then the resulting hash is transmitted over the wire and checked against the database. this is trivial to implement these days.

      • they are called hashes, and have been used forever. google doesn't need to store user passwords in their database or transmit them over the wire at all. google simply stores a hash of the username+password combination. when you enter credentials, that same hash is generated locally, then the resulting hash is transmitted over the wire and checked against the database. this is trivial to implement these days.

        True, but "doesn't need to" does not equal "won't".

      • google simply stores a hash of the username+password combination.

        No, the user name is ignored. All that matters is if the password appears in a breach and is likely to be in a dictionary.

    • by Dynedain ( 141758 ) <slashdot2@anthon ... Nom minus author> on Tuesday February 05, 2019 @01:44PM (#58074424) Homepage

      You could read the article or the original blog post:
      https://security.googleblog.co... [googleblog.com]

      Basically they hash your passwords locally, and compare the first few characters of the hash against the hashes in the database. If there are possible matches the full hashes are downloaded to your browser for further comparison.

      Your full plaintext password and full hashed password are never set to Google.

      There's a nice diagram on the blog post that explains everything at a fairly deep level.

      • > Your full plaintext password and full hashed password are never set to Google.

        Let's try this experiment. But for real.

        I use Chrome on a work computer. I log in to some web sites and Chrome conveniently remembers my passwords for those sites.

        Last April I get a shiny new Google Pixelbook. (think: glorified web browser with 8 GB, core i5 and 128 GB SSD -- unless you put it in developer mode effectively rooting it so it can do useful things)

        Using the Pixelbook (which is Chrome OS, of course
        • by darkain ( 749283 )

          Did you enable profile syncing between devices? Chrome already supports password sync features, which can 1) be disabled, and 2) be entirely unavailable if not logged into the syncing services at all.

          • Indeed.

            Firefox has a similar option. Very convenient, so long as you don't mind your passwords, bookmarks being stored in their database where they can be hacked or mined by bad actors.

            Firefox used to have the option of locally encrypting everything so that it would be completely inaccessible on the server without the encryption key that only you knew. Of course that also means that if you forgot your key there was no way for them to help you recover the synced data, which as I recall was the excuse they g

        • You just bought a new car and asked the dealership to move everything from your old car over to the new car, and now you're shocked—shocked—that they actually did so, despite their repair shop's promise that it will never touch their clients' stuff while doing repairs?

          I'm no fan of Google, but what you're saying is absurd. You literally asked Google to move your passwords from one device to another (which they do via encrypted communication, as an aside), so it should come as no surprise that th

          • I'm not shocked at all. I expected it to behave that way. And yes, I did have Sync turned on. I'm just pointing it out that Google ultimately can get your plaintext passwords.
        • by thegarbz ( 1787294 ) on Tuesday February 05, 2019 @03:42PM (#58075172)

          Let's try this experiment. But for real.

          I use Chrome on a work computer. I log in to some web sites and Chrome conveniently remembers my passwords for those sites.

          Last April I get a shiny new Google Pixelbook. (think: glorified web browser with 8 GB, core i5 and 128 GB SSD -- unless you put it in developer mode effectively rooting it so it can do useful things)

          Using the Pixelbook (which is Chrome OS, of course, and thus Chrome), I am able to go to my favorite web sites, and -- like magic! -- Chrome conveniently knows my login credentials to those sites.

          Hmmm didn't work for me. But then I didn't enable the completely optional feature of password synchronisation which is literally the second setting in Chrome underneath where you select your Google account.

        • by brunes69 ( 86786 )

          Chrome lets you sync your passwords to the cloud. They are encrypted with your Google account password, Google can't read them.

    • by sexconker ( 1179573 ) on Tuesday February 05, 2019 @02:51PM (#58074830)

      They're probably stealing HIBP's work. https://haveibeenpwned.com/Pas... [haveibeenpwned.com]
      Though they're also probably stealing your passwords. It is Google, after all.

      HIBP maintains a DB of credentials they find exposed in dumps.
      HIBP hashes them with SHA1.
      HIBP provides an API.
      You hash your password with SHA1.
      You send the first 5 characters of that hash to HIBP's API.
      HIBP looks up all of its SHA1 password hashes and finds all the ones starting with those 5 characters.
      HIBP returns those matching hashes (excluding the first 5 characters, which you already know) and a count of how many times each was found in a dump.
      You search through that list of SHA1 hashes and find the one that's a complete match.
      You then know your password (or something that produces a SHA1 collision with it) has been exposed X times, or not at all.

      Go to https://haveibeenpwned.com/Pas... [haveibeenpwned.com] and open your network console.
      Put "sexy" in the field.
      The SHA1 hash of "sexy" is BF5AFC18DFBCA6FF28E36AC47BDA8AB40D47C990.
      Your browser sends a GET request for https://api.pwnedpasswords.com... [pwnedpasswords.com].
      The response includes C18DFBCA6FF28E36AC47BDA8AB40D47C990:104937.

      Passwords with a SHA1 hash of BF5AFC18DFBCA6FF28E36AC47BDA8AB40D47C990 (such as "sexy") have been found in credential dumps 104937 times.

      If you don't trust HIBP with even a partial hash of your PW, you can download the 30+ GB text file and do it your damned self. Or use a program locally. Several password managers offer functionality (natively or via plugins) for this.

      • by skids ( 119237 )

        Obligatory wish-i-had-mod-points reply.

        Always good to know who should get credit for an idea, and whether there are alternative services. Thanks.

  • interesting... (Score:3, Interesting)

    by CrimsonAvenger ( 580665 ) on Tuesday February 05, 2019 @01:13PM (#58074242)
    So, if I try name/password combinations till I get a hit, Google will tell me I've gotten a hit (on someone's account, somewhere).

    If it tells me where the UID/Pwd combo exist, I can then change someone's password for them? That could be useful....

    • by Zmobie ( 2478450 )

      Kind of my thoughts. If the right script were used this is essentially a massive rainbow table... Even if they have brute forcing limitations, with the right proxies and such it could be circumvented. Hell even a group of hackers could do some coordinated efforts and essentially unmask much of their database without having to do all that pesky pre-computing or data hosting... Not sure I like this idea...

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Somebody could put in the effort to do that, or they could go the much easier route of using the original password dumps found on various nefarious websites.

    • Why go through all that effort? Just go download the same database(s) Google did and get all the compromised credentials in plain text - it's publicly available on various hacker sites after all.

      That's the whole point - Google is warning you that your credentials are already public knowledge among criminals and intelligence agencies.

  • by Immerman ( 2627577 ) on Tuesday February 05, 2019 @01:13PM (#58074244)

    Google *can* see everything you do with Chrome - every click, every keystroke, every image you linger on a bit longer than is seemly. That capability is well within their ability, aka they *can* do it. The real question is how much of that they *choose* to collect and send back home, rather than simply having the ability to do so.

    This seems like it should be benign enough though - not much advantage to be gained collecting this information (and a lot of potential liability and bad PR), and it's simple enough to hash a name/password combination and send it back to the server in order to retrieve any/all pairs with a matching hash for comparison on your computer.

    • Why is this a surprise? Any software can *see* what you are doing. That is why you run closed source software at your own risk. You have zero idea what it could be doing. The only closed source software I use is the HOST FILES ENGINE by Apk.
      • Why is this a surprise? Any software can *see* what you are doing. That is why you run closed source software at your own risk. You have zero idea what it could be doing. The only closed source software I use is the HOST FILES ENGINE by Apk.

        Yes, because that's guaranteed not to contain a Trojan. He has told us so many times to trust him and his software that he must be trustworthy.

  • Most useful if it also stops people from using 1234567 as their password

    • by Ksevio ( 865461 )
      The blog post says they don't alert you if you use a weak password like "123456", just if it matches credentials found in a breach
  • by grep -v '.*' * ( 780312 ) on Tuesday February 05, 2019 @01:14PM (#58074250)
    Google Security Blog Info. [googleblog.com]

    Chrome Extension [google.com]
  • If I need a throwaway or temporary account, can it hook me up?

  • by rtkluttz ( 244325 ) on Tuesday February 05, 2019 @01:16PM (#58074260) Homepage

    I'll monitor my own shit thank you. I trust YOU (Google) even less than the bad guys.

    • I'll monitor my own shit thank you. I trust YOU (Google) even less than the bad guys.

      If you use Chrome, you trust Google.

      You may not trust Google in the sense of "trust" that means you have a feeling of confidence that they are likely to act correctly. But you absolutely trust Google in the sense that you're performing actions that depend on their acting correctly. Anyone who is willing to type passwords into Chrome, but unwilling for security reasons to let this extension check their passwords in the careful, secure way that it does (which doesn't involve sending a copy of your informat

  • by Anonymous Coward

    It's the old, "Please enter your credit card details and we'll check to see if they're compromised" trick, except they're just swiping the logins from the browser without going to the trouble of social engineering the user.

    What protection does the user have when the device itself is the threat, and not some nefarious third party?

    • Not quite - they're sending a partial hash of your credentials in order to look for matches in the already public databases of compromised accounts that they've assembled from hacker sites. If they find any possible matches, then they send those back to your browser for a full comparison.

      That said, there's not much stopping them from doing what you suggest except some bad press

      >What protection does the user have when the device itself is the threat, and not some nefarious third party?

      None whatsoever. T

  • I got an email that took me to a web page where they offered to check all my username/password combinations. I'm happy to say I'm good, no matches found.
  • Google is comparing against known username and passwords which means the passwords are salted and hashed.

    When you put in a username and password, it's salts and hashes the same and then checks the database.

    They don't need your plaintext password to check since they have the plaintext compromised passwords.

    That allows them to hash both in a known secure method.

    • by Ksevio ( 865461 )
      It's actually even better than that - you only send part of your hash and they return anything with that prefix encrypted. You then encrypt your username/password and send it to them, they encrypt it again and send it back, then you unencrypt it to get a string that can be compared against the list of encrypted passwords they sent originally.
  • Troy Hunt has a really nice solution for this on his HaveIBeenPwned site [haveibeenpwned.com]. He has an API that allows you to submit a partial hash of your password (the first half of the SHA1 of your password) and then the API returns a list of complete hashes that have appeared in a breach. You can check it out his about page here [haveibeenpwned.com].

    The reasoning is that you are not providing your complete password hash, so both his site and an eavesdropper would not know if your password actually appears in that list or not. Only you know,
  • by KlomDark ( 6370 )

    Hell no.

    Trust your passwords to data miners? Even after their "we didn't mean to do it" escapade of scanning everyone's wifi while driving by with the google maps car.

    About done with Chrome all the way. Currently posting with Firefox, it's gotten a lot better again.

    • If you're using Chrome, then you're implicitly trusting Google with 100% of the information about everything you do with your browser. They *probably* aren't sending all that information home, but the only thing stopping them is their own integrity.

      Ditto if you use Android - you're trusting Google not to monitor everything you do, they have the power.
      And how do you feel about Microsoft? Apple? By using their OS you're trusting them with complete information about everything you do on your computer.

      • by KlomDark ( 6370 )

        And as I said: About done with Chrome all the way. Currently posting with Firefox, it's gotten a lot better again.

        Strangely, I trust Microsoft more than I do Google.

        I remember thinking the Internet was going to be this great thing that freed everyone's minds, but now it's just become a nasty surveillance trap. I has a sad. Especially for my grandchildren having to grow up in this world, never knowing the pre 9/11 mindset.

  • ...NSA^H^H^HGoogle.
  • Way back when HTML was invented they specified an input type that browsers aren't even supposed to show on screen. The web wasn't secure, and a password input field didn't make anything safe, but it at least recognized the over the shoulder attack.
    Since then web site operators have been doing things to attempt to make your communication with them more secure, various Javascript handlers and encrypted connections, etc. Of course these things range from well implemented to actually less secure, but at least

  • What they SAY they're doing and what they ARE doing are likely Apples and Oranges.

An adequate bootstrap is a contradiction in terms.

Working...