Google Chrome Breach Monitoring

A new feature is due to be implemented by Google Chrome which will warn you, each time you log in, if your credentials have found to be leaked anywhere on the web. Credential check, named “Password Checkup”, is a service being released slowly for everyone who is logged into Chrome and is designed to be a security feature to help you manage your security risks.

The way Google achieves this is as follows:

1. When Google identifies a data breach, they store the username and password in a strongly encrypted format in a database. This hash is encrypted with a secret key, known only by Google

2. When you log into a website, Google will strongly hash and encrypt your username and password, to ensure that they cannot read these during processing. This is handled by the service “Password Checkup”

3. Using “private set intersection with blinding”, Google searches through every unsafe username and password without revealing your, or anyone else’s account details

4. Google searches through every breached username and password, without revealing your credentials, and compares each record against each finding

Firefox has also released a similar tool, named Firefox Monitor, which will check for data breaches when you enter your email address, and send you a warning of any data breaches that appear in the future if you register your email address. This process works differently to the Chrome version, which will check your credentials against a database each time you log into a website.

This new feature offers a huge improvement in the management and awareness against breached credentials and will help users to understand the implications of password reuse, and why they should use strong passwords to prevent these from being cracked after a data breach.