A New Google Chrome Extension Will Detect Your Unsafe Passwords
-
snip>
On Tuesday, the company is announcing "Password Checkup," which runs in Chrome all the time as you go about your daily web browsing, and checks passwords you enter on all sites against a database of known compromised passwords. Password Checkup isn't a password manager, a gauge of how weak or strong your passwords are, or a source of advice. It just sits quietly until it detects a credential pair that is known to be exposed, and then it shows a warning. That's it.
https://www.wired.com/story/password-checkup-chrome-extension/
modedit Moved to Browsers forum as it is a Chrome extension.
-
not a good extension because the extension sends additionally to the credentials the URL from the webpage to Google, which isn't necessary. Google says
We do report anonymous information about the number of lookups that surface an unsafe credential, whether an alert leads to a password change, and the domain involved for improving site coverage.
-
If you want to do this kind of thing, I would suggest downloading Troy Hunt's list of password hashes from here and checking them offline.
I also prefer to support Troy's method, as
- It is open (the data is available to all)
- It is transparent (the method of data collection and organisation is clear)
- You can check passwords in full privacy (it's offline)
- You can integrate it into your password manager and use it at your discretion (you're not forced to install an extension)
Privacy aside (it's google, there' not much point in even hoping for any privacy), Google's method just does what they always do and tries to close this kind of service off behind their doors and that shouldn't be encouraged. Security (research) is more effective when everyone is open.
-
@LonM said in A New Google Chrome Extension Will Detect Your Unsafe Passwords:
If you want to do this kind of thing, I would suggest downloading Troy Hunt's list of password hashes from here and checking them offline.
I also prefer to support Troy's method, as
- It is open (the data is available to all)
- It is transparent (the method of data collection and organisation is clear)
- You can check passwords in full privacy (it's offline)
- You can integrate it into your password manager and use it at your discretion (you're not forced to install an extension)
Privacy aside (it's google, there' not much point in even hoping for any privacy), Google's method just does what they always do and tries to close this kind of service off behind their doors and that shouldn't be encouraged. Security (research) is more effective when everyone is open.
I don't trust services like this. and less when it come from Google. If you use strong password or a password manager you don't need this.
(Nice, Google also need to know my passwords :smiling_face_with_open_mouth_closed_eyes:)
-
@Catweazle said in A New Google Chrome Extension Will Detect Your Unsafe Passwords:
If you use strong password or a password manager you don't need this
Using a strong password makes it less likely that your password will be guessed, and (more importantly) it makes it more unique.
But if your password is leaked by another service, it's useful to be able to verify if it was compromised, so you can change it.
That's where the password hash list comes in. To be clearer: Offline checking is trustworthy, but I would avoid using the big massive text box inviting you to enter your password.
-
@LonM said in A New Google Chrome Extension Will Detect Your Unsafe Passwords:
@Catweazle said in A New Google Chrome Extension Will Detect Your Unsafe Passwords:
If you use strong password or a password manager you don't need this
Using a strong password makes it less likely that your password will be guessed, and (more importantly) it makes it more unique.
But if your password is leaked by another service, it's useful to be able to verify if it was compromised, so you can change it.
That's where the password hash list comes in. To be clearer: Offline checking is trustworthy, but I would avoid using the big massive text box inviting you to enter your password.
Being offline is not necessarily a safer program, it is only while you are offline.
Anyway, I rely more on my neurons than on external programs to store confidential data.
I'm an old-fashioned, I know -
@Catweazle said in A New Google Chrome Extension Will Detect Your Unsafe Passwords:
a safer program
I see there may be a misunderstanding here. Unlike google's solution, It's not a program, it's literally just a text file containing the hashes of leaked passwords.
If you check your password (hash) and it is in the text file, your password has been leaked somewhere. No phoning home to any services or running exes required.
This is what a section of the file looks like:
FFFFFFB54953F45EA030FF13619B930C96A9C0E3:11
Basically, it means that 11 people have used a leaked password with that hash value, so it would not be recommended for use as it is no longer unique and secure.
-
@LonM said in A New Google Chrome Extension Will Detect Your Unsafe Passwords:
@Catweazle said in A New Google Chrome Extension Will Detect Your Unsafe Passwords:
a safer program
I see there may be a misunderstanding here. Unlike google's solution, It's not a program, it's literally just a text file containing the hashes of leaked passwords.
If you check your password (hash) and it is in the text file, your password has been leaked somewhere. No phoning home to any services or running exes required.
This is what a section of the file looks like:
FFFFFFB54953F45EA030FF13619B930C96A9C0E3:11
Basically, it means that 11 people have used a leaked password with that hash value, so it would not be recommended for use as it is no longer unique and secure.
I tried your page with one of my passwords
I use for passwords other than 1234
-