Data safety is a pretty big deal nowadays as people get increasingly concerned about the ways their personal information is used.
Many data leaks happened in the past, and the public image of some very big names in the industry were heavily affected (see the Facebook Cambridge Analytica scandal). However, this was a pretty controlled case, as the company knew exactly who received the data and what their intentions were.
In most cases, there is no way to tell that the information you have inputted on a website goes straight to the site’s database (and stays there) or it goes through an intermediate point (for example a hacker who simply wants to hijack personal data and use it malevolently).
Google to the rescue
Thankfully, Google has introduced a “Password Checkup” feature which will be fully integrated into the desktop and mobile versions of Chrome 79.
The feature has been steadily advancing its reach into Google devices this past year. It was initially named “Password Checkup” and it was an extension for desktop distributions of Chrome. It was meant to audit individual passwords when those were typed by the user. Months later, the feature was embedded into every Google account in the form of an on-demand audit that can be run on all saved passwords. Currently, the Password Checkup feature isn’t an extension anymore, since it’s being integrated into mobile and desktop iterations of Chrome 79.
The feature explained
The Password Checkup features work for those who have their username and password combinations stored in Google’s browser while also being in sync with the Google servers.
Google figured that since they have a vast encrypted database of passwords from users all around the world, they can easily compare them with the official lists of compromised usernames and passwords that have been exposed in countless security breaches over the years. It’s estimated that the number of such compromised account and password combinations goes as high as 4 billion.
Google compares encrypted credentials with an encrypted list of compromised credentials. First, a 3-byte hash of the username is sent to Google, where it is analyzed and looked up in the list of compromised usernames. In case of a match, information about the user’s computer is sent to another database consisting of every potentially matching username and password combos from the bad credentials list, of course, encrypted with a special key from Google. At this point the feature notifies users that their specific stored credentials are public and totally unsafe and advises them to (at least) change the password. The user then receives a copy of their passwords that are now encrypted with two keys: one is the base, usual key, and the other one is the key from Google’s bad credentials list.
On the computer of the user, the feature removes only the key that it is able to decrypt (the user’s private key, therefore leaving the Google-key-encrypted username and password).
You might believe that, while the feature is indeed very useful, it still sounds like data theft with extra steps. However, this is far from true: According to Google, the technique they are using (referred to as “private set intersection”) doesn’t allow users to see the list of bad credentials from Google while also blocking Google’s access to the users’ personal credentials but comparison between the two can still be done.