Computerworld

Google launches leaked-password checker, will bake it into Chrome in December

Search giant plans to add a hacked-password alert system into its browser by the end of year; Firefox aims to do much the same thing this month

Google has launched a web-based hacked-password checker, part of its efforts to bake an alert system into Chrome.

Called "Password Checker," the service examines the username-password combinations stored in Chrome's own password manager and reports back on those authentication pairings that have been exposed in publicly-known data breaches.

The web version can be found at passwords.google.com - the umbrella site for Chrome users who run the browser after logging in with their Google account, then use that to synchronise data - including passwords - between copies of Chrome on different devices.

After requesting a password checkup, Google returns the results to Chrome, organised in lists of accounts relying on already-compromised username-password pairs, accounts for which the user has reused a password (something usually frowned on by security experts) and accounts that rely on weak passwords.

At the moment, there's nothing built into Chrome, at least the most polished, Stable build; only the external web-based dashboard has been launched.

But as Google said last month when it released Chrome 77, it plans to bake a hacked-password alert system into the browser. Details then were absent, although the intent was clear: Chrome would have something similar to what Mozilla will premiere in three weeks when the open-source developer ships the next Firefox.

Currently, the Windows version of Chrome 78 Beta - the build that leads to Stable - as well as the less-reliable Chrome 79 Canary on both Windows and macOS, sports the new password checking system. For now, it has been hidden behind a setting on a semi-secret options screen.

To switch it on, type chrome://flags in the address bar; press Return or Enter; type passwords in the search field; locate the Password Leak Detection item; and to the right of that, select Enabled from the drop-down list. Finally, relaunch Chrome.

To verify that the alert system is active, choose Settings from the main menu (under the vertical ellipsis at the right); select Passwords under Autofill; and look for the Check password safety item. The toggle to the right should be in the on position.

When the user enters a username + password that have been exposed by a breach, Chrome should pop up a warning that the password has been leaked and needs to be changed. In Computerworld's trials, however, the alert did not always work: One website whose password had been reported in a breach did not display the alert, while several other sites - some of them using the same username + password pair - did result in an on-screen warning.

When it does appear, the alert contains a Check passwords button. Press that and the browser opens the online password checkup now in operation.

Now for Chrome 79

Last month, Google said it planned to include the hacked-password warning in Chrome 78, then - and now - slated to ship Oct. 22.

(Coincidentally, that's the same day Firefox is to launch its alert system. More on that in a bit.)

But on Tuesday, in one of several Chromium bug reports devoted to the password warning development, the feature was described as "launching in M79 for all the platforms." M79 refers to Chrome 79, the year's last upgrade, set to release December 10.

The current Chrome Beta build will warn the user when he or she enters a username + password combination that's been identified as among those revealed by a data breach. The feature is slated to ship with Chrome 79, due to launch December 10Credit: Google
The current Chrome Beta build will warn the user when he or she enters a username + password combination that's been identified as among those revealed by a data breach. The feature is slated to ship with Chrome 79, due to launch December 10

If Mozilla stays with its plan, Firefox will have a hacked-password alert system of its own before that.

Firefox 70, scheduled to release October 22, will integrate two formerly separate functions - Firefox Monitor, a password alert service, and the Lockwise password manager - that will complete a swath of tasks, including identifying victimised accounts and guiding users through changes to leaked passwords.

Firefox Monitor, which Mozilla introduced in November 2018, relies on a partnership with the Have I Been Pwned? site and service.

The source of Google's leak information is unclear, but it would be less likely than, say, Mozilla, to rely on outside help. Not surprisingly given Google's emphasis on enterprise management of late, a group policy - PasswordLeakDetectionEnabled will be available at launch for IT administrators. Details of the policy's settings can be found here.