Mark Risher, Google’s senior director of account security, identity and abuse, says passwords are one of the worst things on the internet, and while they are critical to security and help people log on to many apps and websites, they are one of the main ways users’ accounts are eventually compromised. Google has been trying for years to free users from passwords, or at least minimize damage. And in the coming weeks, one of Google’s quietest tools in the fight, the Password Check plug-in, will get more attention as it adds the security check dashboard built into every Google account.
While users can use tools like Password Manager to help track login information, many end up just reusing passwords for many accounts. According to a survey released in February 2019 by Google and Harris, a research firm, 52 percent of people reuse the same password in multiple accounts. The survey found that 13 per cent of people reused the password in all accounts. Microsoft said in 2019 that 44 million Microsoft accounts used login information that had been leaked online.
For some time now, Google has been trying to help users build better password habits, slow but firm. Over the years, the company has provided a built-in password manager in Google accounts on Chrome and Android that can save your passwords and automatically fill them in websites and apps. But for more than a year, Google has also been trying to help people proactively make better passwords through password-checking tools. The tool checks logins against 4 billion leaked credentials in the database to see if the password you entered matches the compromised password.
This is not a new idea, but Google has a unique advantage in offering services such as password checking. With billions of password access and scale, the company can integrate password-checking tools with account security tools that many already rely on to reach billions of users.
How to get Password Checkup to flag leaked credentials in a privacy-respecting way is a difficult technical issue that requires a joint effort by Google and Stanford. Researchers at both agencies told me that the challenge was to find a way to automatically check usercredentials against leaked login information in the database without disclosing information to Google or giving users access to the entire database, while extending the solution to Google’s large user base.
To do this, Google stores a hash and encrypted version of each known username and password exposed by the data breach. Every time you log into an account, Google sends a hash and encrypted version of the login information to the database. That way, Google won’t be able to see your password, and you won’t be able to see Google’s list of logins that are known to have been tampered with. If Google detects a match, Google displays a warning that suggests you change the password for the site.
Google gets leaked login information from multiple different sources and trusted partners, including underground forums that publicly share password dumps, but Google never pays criminals for stolen data, but simply by how these markets work, stolen data often emerges and becomes available, using Google’s role in these markets, which Google can access.