In early 2019, white-hat security expert Troy Hunt and other researchers shared a massive database of breached passwords and usernames. The stolen data constitutes 25 billion records and 845 gigabytes of stolen data.
While many of the collected records are from previously reported thefts, there are new records there, too. It’s a clear indication of regularity, scope and potential damage caused by poor password management.
That news coincided with Google’s announcement of its new Password Checkup extension for Chrome browsers. The extension is designed to alert and protect users who may have compromised credentials.
What is the Password Checkup Extension?
Password Checkup allows users to check if their Google account, and any other account you check into while using Chrome, has been potentially compromised during a previous data breach. Developed in partnership with Stanford University cryptographers, the extension is designed to give you critical information while safeguarding your data.
How Does Password Checkup Work?
After installing the extension, Google will alert users if they find potentially compromised passwords. The passwords are checked against a database of 4 billion known compromised credentials. Warnings are issued automatically, along with a recommendation to change the potentially compromised credential.
It’s important to note that the extension will not alert you to any outdated passwords or weak passwords. While those other factors can also lead to your account information being hacked, the Password Checkup only identifies known hacked passwords contained in databases.
What Does It Look Like When Password Checkup Is Activated?
The Password Checkup icon appears in your browser bar as a green security shield. The extension app will monitor your account whenever you use Chrome to log into a website or a service.
If it detects that the password is potentially compromised, a bright red warning box pops onto your screen. It features a warning sign and urges you to change your password. The box allows you to ignore the alert for the designated site. There’s also a link to learn more information via a page with more details about Password Checkup and how to change a potentially compromised password.
If for some reason you miss the red pop-up box, the browser extension icon turns from green to red.
Can Google See My Passwords if I use Password Checkup?
No. None of the passwords that the app uses are stored and personal information is not collected. The checked passwords are anonymized using hashes and encryption. Password Checkup was designed to prevent hackers from attacking it.
What Are the Risks of Compromised Passwords?
News stories are constantly reporting on the latest corporate data breach, revealing the thousands of records that were exposed and how that company is responding. The story behind the story is what happens to those stolen credentials.
In some cases, hackers sell information on the dark web. For users that do not know about the hack or aware but choose to do nothing, the consequences can be dire. Bad actors now can access accounts, make purchases, steal money or gain other personal information that can help to steal one’s identity.
People affected by stolen credentials can spend months or years resolving the issues related to compromised accounts. This work is time-consuming, costly and stressful.
Are There Other Tools to Check Compromised Credentials?
According to the 2019 Verizon Data Breach Investigations Report, stolen credentials are also an increasingly popular approach for hackers looking to gain access to cloud-based email servers. Stolen credentials are a particular issue for businesses in the accommodations and food services, financial and insurance, educational services, manufacturing and professional services industries.
What Can Be Done to Prevent Compromised Credentials?
For businesses, there are several steps that can mitigate the risks of data breaches that result in compromised credentials:
Develop and enforce rigorous password policies, including password complexity, reuse and expiration dates
Implement two-factor or multi-factor authentication that uses both known information, such as a stored password, and new information, such as a texted or emailed credential, (e.g. a one-time access code)
Centralized identity access management
Centrally managed single sign-on protocols
Google’s new extension is an excellent way to provide individual Chrome users with information that will protect themselves and their personal information. When combined with broader business rules, the extension should reduce the rate and severity of compromised credentials.
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.