Can You Trust A New Google Chrome Extension to Help You Choose a Good Password?
Can a humble browser extension tell you whether or not your password is strong enough? Before we answer this question, we obviously need to explain what a strong password is.
The classical definition states that a strong password must be a random selection of uppercase and lowercase letter, numbers, and special characters. In more recent years, experts have suggested that a long passphrase could be just as good at protecting your data. There's a bit of a debate around whether or not passwords should be changed frequently, but just about everyone agrees that regardless of its age, length, and complexity, a password should never be reused on more than one website or platform. There is, however, one more factor that can make even a relatively new, extremely hard-to-guess password completely useless at protecting your account. And quite a few people seem to be overlooking it.
As you probably know, when cybercriminals steal data, they don't always keep it to themselves. Crooks share terabytes upon terabytes of compromised usernames and passwords every day. And despite what some people would have you believe, getting all this information doesn't necessarily require going to the so-called dark web. Often, downloading those massive data dumps is as easy as visiting a publicly available internet forum or downloading a torrent file. In other words, plenty of people might have access to your compromised password, and a recent series of credential stuffing attacks shows that they're not afraid to use it.
A Google Chrome extension can see if your password has been compromised
Google wants to help you protect yourself. Over the years, the search engine giant's security team has collected around four billion username and password combinations leaked in data breach incidents. A new Chrome extension called Password Checkup can use that information to assist you with your password choices.
Every time you enter your usernames and passwords, the add-on will check the credentials against Google's database, and if it finds that they have been leaked in the past, it will display a warning, letting you know that you're better off choosing a different password. The idea is that it will work on all websites, and it will fire off alerts only if it thinks that both the username and the password have been breached.
Those of you who follow data security news more closely know that this is not the first service of this kind. Australian security expert Troy Hunt created his Have I Been Pwned platform years ago, and in 2017, he also launched the Pwned Passwords service which lets you check your password against a collection of about half a billion compromised passwords.
Obviously, Google's collection is considerably bigger which means that if your credentials have been compromised, they are more likely to be present in the search engine giant's database than they are in Troy Hunt's. But does this mean that you should download Google's Password Checkup extension immediately?
Can you trust Google's new extension?
Both Troy Hunt and Google have launched these services because the US' National Institute for Standards and Technology (NIST) reckons that users can benefit from them. A couple of years ago, NIST revisited its password guidelines and told software vendors and service providers that checking users' passwords against collections of breached data and warning them when there's a match is good practice. Before it can tell you whether or not your password has been compromised, however, Google's new extension needs to analyze it, which obviously makes some people rather uncomfortable.
Thinking twice before giving your password to anyone is always a good call. Google, like most of the Silicon Valley companies whose business model revolves around data, has received its share of criticism for its attitude towards users' privacy. It's fair to say, however, that the search engine behemoth is unlikely to risk something going wrong with people's passwords.
Like Troy Hunt, Google uses hashing and encryption to ensure that it never sees the password in plain text. According to the blog post introducing the extension, the check is performed locally, and your password isn't sent to Google in any shape or form.
Ultimately, everyone decides for themselves whether or not they want to use Password Checkup which is probably why Google decided to offer it as an addon rather than embedding it straight into the browser. You could do worse than think about it, though.