Security news that informs and inspires

Chrome Adds Warning for Compromised Passwords


Google is adding a handful of powerful new security features to Chrome, including a system that will warn users whenever they enter into a website a username and password combination that Google knows to have been compromised.

The new password protection feature is an integration of something that’s been available in Google’s Password Checkup browser extension for several months now. With that extension, people could enter a username and password combination for a given site and see whether it was in a massive database of credentials that have been compromised in data breaches. Now that capability is built into Chrome, allowing Google to check for compromised credentials as people enter them on sites. The feature relies on a complex system behind the scenes that enables Google to check credentials while they’re encrypted.

“When you sign in to a website, Chrome will send a hashed copy of your username and password to Google encrypted with a secret key only known to Chrome. No one, including Google, is able to derive your username or password from this encrypted copy,” Patrick Nepper, Kiran C. Nair, Vasilii Sukhanov and Varun Khaneja from the Chrome team wrote in a post on the new protections.

“In order to determine if your username and password appears in any breach, we use a technique called private set intersection with blinding that involves multiple layers of encryption. This allows us to compare your encrypted username and password with all of the encrypted breached usernames and passwords, without revealing your username and password, or revealing any information about any other users’ usernames and passwords. In order to make this computation more efficient, Chrome sends a 3-byte SHA256 hash prefix of your username to reduce the scale of the data joined from 4 billion records down to 250 records, while still ensuring your username remains anonymous.”

The use of compromised credentials is one of the larger problems there is in security right now. Data breaches occur all the time and the flow of user credentials into the public domain and the hands of attackers is constant. Many people reuse their usernames and passwords across multiple sites and services and attackers often use automated tools to try compromised credentials on high value services such as Gmail, Facebook, banking sites, and others, leading to account takeovers and serious consequences for victims. The constant drumbeat of data breach notifications can become background noise for many people, and they may not take the time to change passwords that have been compromised.

So the Chrome password check functionality can fill in that gap for people who are unaware that their credentials are compromised or just haven’t changed them yet. In a research paper on the new password protection scheme, Google researchers said that 1.5 percent of about 21 million logins through the Chrome extension used breached credentials.

In addition to the password security feature, Google also is enhancing the phishing protection in Chrome. The browser uses Google’s Safe Browsing API to identify unsafe and compromised websites, which are then added to the company’s blocklist. That list is shared with other browser vendors and web companies and it’s updated about every half hour. But Google found that the blocklist refresh wasn’t fast enough to catch every malicious or compromised site, so the company is adding real-time inspection of site URLs to the browser in order to help prevent more phishing attacks.

“When you visit a website, Chrome checks it against a list stored on your computer of thousands of popular websites that are known to be safe. If the website is not on the safe-list, Chrome checks the URL with Google (after dropping any username or password embedded in the URL) to find out if you're visiting a dangerous site. Our analysis has shown that this results in a 30% increase in protections by warning users on malicious sites that are brand new,” the Chrome team said.