Conveniently aligned to coincide with Safer Internet Day, Google launches a new tool, Password Checkup, designed to detect if a username and password has been compromised.
The Password Problem
Google recently commissioned Harris Poll, a market research firm, to investigate the gap between reality and perception when it comes to online security. The online security study surveyed a sample of 3000 adults (aged 16-50) living in the United States to understand their beliefs and behaviours surrounding online security.
As one might expect, a large majority of people (69 percent) rate themselves as an A or a B with respect to their ability to adequately protect their online accounts and a measly 5% gave themselves a D or an F grade. Moreover, 59 percent of people believe that their own accounts are safer from online threats than the average person and some 61 percent of individuals believe they are just too smart to fall for a phishing campaign.
Ironically, despite their confidence, a large portion of these same respondents described habits, relating to passwords, that put their personal information at risk. Some of these habits include the reuse of the same password, by 65 percent of respondents, and even worse; 51 percent of respondents declared they have a favourite password they used for the majority of their online accounts.
Google Chrome Password Checkup
Password Checkup is the new Google Chrome extension which is designed to detect if a username and password on a site you are using has been compromised. If the application detects that it has, the extension will elicit a warning and suggest you change the password immediately. According to Google, this simple measure will reduce the user’s risk of being compromised by ten times.
According to Google, the new tool was developed jointly with Stanford University to make sure that Google never learns your username or password, and that any breach data stays safe from exposure.
Password Checkup Design Principles
Alerts are actionable, not informational: An alert should only provide concise and accurate security advise. In other words, for an unsafe account, that means resetting passwords.
Privacy is at the heart of the design: Privacy-preserving technologies designed to never reveal personal information to Google. Additionally, Password Checkup is designed to prevent an attacker from potentially abusing the tool to reveal sensitive user data, including usernames and passwords.
Advice that avoids fatigue: Password Checkup will only alert you when all of the information necessary to access your account has fallen into the hands of an attacker. In other words, the application will not alert you of outdated or weak passwords; it will only alert you once your current username AND password appear in a breach.
In an effort to maintain Google’s motto of transparency, the internet giant acknowledges that this is only the first version of the Password Checkup and it will be refined over the coming months.
How does it work?
When Google discovers a username and password exposed by a data breach, the extension stores a strongly hashed and encrypted copy of the data.
As the user logs into a site on the web, Password Checkup will send a copy of your username to Google, again strongly hashed and encrypted to ensure Google never learns your credentials.
Password Checkup then uses blinding and private information retrieval to search through each of the stored unsafe username and passwords.
The final step of the process is completely local, and if your account details were exposed, Password Checkup will issue a warning that your details have been exposed and you are advised to change your password immediately.
See Google’s Infographic here.
Packetlabs would like to remind you that, while there is no denying Password Checkup is a useful extension, it should only serve as a reminder of just how ineffective passwords alone can be, in terms of keeping your personal information and accounts secure.
To conclude, some helpful advice surrounding your current passwords:
Use a password manager, such as Lastpass.
Use a unique password for EVERY account you have online.
If you learn of a breach, change your affiliated passwords immediately.
Turn on two-factor authentication for all sites that support it.
Consider installing Chrome Password Checkup extension.
For more information, please review our website and contact us for in-depth information on any of the items discussed here.
Our mission to continually stay on top of current threats and vulnerabilities has helped distinguish our testing from our competitors. Often times, firms will try to commoditize security testing by performing automated testing (VA scans) with little benefit to the client. Our methodology only begins with automated testing. Thereafter, our extensive experience allows us to manually uncover high-risk vulnerabilities which are often missed by conventional testing methodologies.
We mandate training and continually learn and adopt new attack techniques for our clients. We are always digging deeper to uncover vulnerabilities that may have been overlooked. Our mission is to maintain the fact that not one of our clients have been breached by a vulnerability we’ve missed; we take this very seriously.
10 January - Blog
Your Guide to Objective-Based Penetration Testing
14 December - Blog
2022 in Review and Our Predictions for 2023: Cyber-Threat Landscape
05 December - Blog
Choosing a Penetration Testing Company: Methodology & Certifications