A New Google Chrome Extension Will Identify Insecure Passwords

“Password Checkup” is not a password manager, but rather a simple tool that alerts you if the password you’re using has been exposed to data breaches.

Data breaches that compromise users’ usernames and passwords have become so common and have been used in criminal activity for so long that millions of stolen credential pairs have become practically worthless to criminals, circulating freely online. In addition, this does not even begin to scratch the surface of the most recent credentials sold on the black market. All of this makes it increasingly difficult to keep track of which passwords require modification. Google has therefore developed a Chrome extension to protect your privacy.

On Tuesday, the company is announcing “Password Checkup,” a Chrome extension that constantly checks the passwords you enter on all websites against a database of known compromised passwords as you browse the web. Password Checkup is not a password manager, a strength meter, or a source of advice. It simply waits until it detects a credential pair that is known to be compromised before displaying a warning. That is all.

The tool is designed to be unobtrusive, so you will pay attention when it detects genuine threats. Password Checkup is intended to be a simple way to regain control if you’ve been feeling overwhelmed by the news of data breaches and cybercrime over the past few years.


Accounts on Google are frequently the key to a user’s email address, making them particularly sensitive. Therefore, the company has already struggled with notifying users when their Google credentials have been compromised — not because Google was hacked, but because users reuse passwords across multiple sites.

Google relies on a database of compromised credentials containing approximately four billion unique usernames and passwords, collected from online troves accessed by the company’s security teams as part of their larger threat detection research. Google claims that it has never purchased stolen credentials and that it does not currently collaborate with other security-focused aggregators such as Troy Hunt’s Have I Been Pwned service. However, the organization does accept donations of stolen credentials from researchers.

Already, the company has used this cache to compel Google users to abandon exposed passwords. And other Google divisions, such as Nest, are developing features to prevent exposed password reuse due to account takeover issues.

“We’ve reset approximately 110 million passwords on Google accounts due to massive breaches and other data exposures,” says Elie Bursztein, head of Google’s anti-abuse research. “The question is whether there is a way to do it everywhere. After 10 seconds, you may receive a notification stating “hey, this is part of a data breach; you should consider changing your password.” We want it to be perfect, so if we show it to you, you must alter it.”

Google’s database is constantly expanding, but it appears to have gaps. When I tested Password Checkup with a login that I know has been compromised in breaches, it did not flag it (so I have one account I haven’t updated yet, what are you going to do?).

Bursztein and Kurt Thomas, a Google security and anti-abuse research scientist, note that they’ve skewed toward zero false positives so that they don’t mistakenly alert users based on passwords that are similar, but slightly different, or the same password that was compromised for someone else, but not you. And they emphasize that even though the company is releasing Password Checkup as a regular Chrome extension for users to begin using, it is still an experiment and has not been finalized.

Check Mate

The researchers anticipate controversy, or “a conversation” as they commonly refer to it, regarding a crucial question that you may also have: If Password Checkup is constantly running in the background on Chrome to monitor your login credentials, won’t Google end up with a terrifying cache of all your passwords? And if so, couldn’t attackers find a way to exploit Password Checkup to steal a large number of current credentials, track you, or infiltrate Google’s stolen data database?

“When designing the system, we had to consider four threats,” Thomas says. “The first advantage is that Google never learns your username and password. Another reason is that we do not wish to reveal any usernames or passwords that do not belong to you. And we must prevent brute force attacks on the system. We do not want you to begin guessing usernames and passwords at random. And finally, we do not want any sort of trackable identifier that would reveal information about the user.”

On multiple levels, it would be impossible for Google to check credentials without any data leaving the user’s device. Instead, the company collaborated with cryptographers from Stanford University to develop multiple layers of encryption and hashing—protective data scrambling—to safeguard the data as it traverses the internet. As a deterrent against an attacker compromising the database or attempting to extract credentials from the Chrome extension, the entire database is encrypted with the robust and highly regarded Argon 2 hashing algorithm.

Instead of requiring you to download the entire database, the researchers devised a method for downloading a smaller subset or partition of the data without revealing too much information about your username and password. Password Checkup generates a hash of your username and password on your device and sends a portion of it to Google when you log into a website. The system then uses this prefix to create a smaller subset of a breached username and password data for your device to download. Thomas says, “This provides a strong anonymity set where hundreds of thousands of usernames and passwords would fall into that prefix, but we have no idea which ones they are.” “When you sign in, you send that prefix to Google, and we give you access to every account we know about.”

To index into your subset of the database, your device signs your encrypted username and password with a secret key and transmits them to Google. The company then signs the message with its secret key and sends it back to your device, which decrypts the message using its key. After this handshake is complete, the data is in the correct state of encryption and hashing to perform a compatible local lookup on your device against the downloaded portion of the database. The concept is that everything is constantly encrypted to render the data as indecipherable and useless to a potential attacker — or Google itself — at every phase.

Details Matter

Together with Stanford researchers, Google plans to publish an academic paper detailing the tool’s underlying protocols and cryptographic principles for public scrutiny.

Matthew Green, a cryptographer at Johns Hopkins, was asked about a browser extension that attempts to monitor passwords in a cryptographically secure and private manner “It is feasible. I believe it could be done securely. I believe. But details matter.” Green observes that such a plan would require near-perfect execution and would be susceptible to failure in several crucial areas. “If many people will be using it, it’s a little unsettling,” he says. Additionally, you should only install browser extensions from reputable companies.

Password Checkup could be utilized rapidly by a large number of people due to their dire need for easily digestible breach information and recommendations. Therefore, it will be Google’s responsibility to continue improving the extension’s security based on user and cryptographer feedback.

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus
Ransomware Victims Are Fully Refusing To Pay

January 20, 2023

Cybercriminals’ preferred method of extortion is declining. Briefly, ransomware-type malware threats encrypt files and then demand payment in cryptocurrency from victims to decrypt them. In 2022, however, the market began to shift as fewer businesses elected to be blackmailed. According…

Get more info



Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.


BestTopReviewsOnline.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com. As an Amazon Associate I earn from qualifying purchases.


Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 BestTopReviewsOnline.com Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of BestTopReviewsOnline.com.