Google’s Password Manager now checks for breached credentials

Google has taken the next step in its strategy to secure users’ passwords. The search giant has taken a password-checking feature released early this year as an extension to its Chrome browser and embedded it directly into its password manager service.

In February, the search and advertising giant released Password Checkup, a Chrome extension that checks passwords to see if they are secure. When users enter a username and password, the extension checks a hashed version of the credentials against Google’s internal database of four billion unsafe logins. If the extension finds a match, it will warn the user and suggest that they reset their password.

Now, the company has decided to integrate this feature directly into its password manager, which is the feature in Chrome that asks if you want to save the login credentials for online services and reuse them later.

The password manager is also available via a web interface, and it’s this online version that Google has updated with the new password checkup service. It scans your stored account credentials for three things: if they’ve been compromised, if they’ve been reused in more than one place, and if they’re weak. The check takes a couple of seconds and spits out a handy report.

This is a useful service, but it’s still one step away from flagging compromised passwords directly in the browser without any add-ons. That’s coming, though. A password alert system will reportedly warn the user if they enter website credentials that have turned up in Google’s database of compromised logins. It’s already available as a feature in the Canary release of Chrome 78, but users need to download that manually until the release becomes mainstream. They also need to manually enable the feature.

Google’s move shadows Firefox’s inclusion of a scanning service for saved logins in Firefox 70. That service checks against Troy Hunt’s Have I Been Pwned (HIBP) service, though, whereas Google’s online password checking service references its own database, gleaned from sources including the open web and the dark web.

There’s a strong need for these password checking mechanisms. In August, Google released a study of data from the Password Checkup extension, revealing that 1.5% of web logins use breached credentials. That might not sound like much, but it represents breached credentials on over 746,000 distinct domains.