The Password Checkup tool, which the tech giant released on Tuesday, warns you if the username and password you’re using were stolen in any data breaches and then prompts you to change them if they were.
Even data breaches from more than a decade ago can still hurt victims if they’ve never changed their passwords. Consider this: A collection of 2.2 billion stolen credentials, dating as far back as 2008, is still floating around on hacker forums. Cybercriminals are counting on your being lazy.
If even one-tenth of 1 percent of passwords in that massive leak haven’t been updated, that means 2.2 million accounts hackers could take over.
Google’s own database of collected credentials from public breaches contains over 4 billion usernames and passwords, said Kurt Thomas, a research scientist at Google.
The company has used that database for the last five years to protect Google users who could be affected by third-party breaches. More than 110 million accounts were kept safe through this measure, Thomas said.
‘Without this safety measure, you’re about 10 times more likely to fall victim to an account takeover,’ he said.
Nest monitors publicly leaked password databases and checks its own databases for matches. If a user’s email and password for outside services are involved, Nest sends an alert requesting the person to change passwords — even if the company’s own data wasn’t affected by the breach.
This prevents hackers from being able to reuse passwords stolen from one service on another website. Hackers often employ this tactic to take over accounts, given how many people are likely to use the same password again and again. In a survey by Google and Harris Poll of 3,000 adults in the US, for instance, 65 percent of respondents said they reuse a password across multiple accounts. (Even so, about 60 percent of respondents say they have ‘too many passwords to remember,’ according to the survey.)
In 2016, hackers said they were able to access Facebook CEO Mark Zuckerberg’s Twitter account by using his LinkedIn password, which was stolen in a 2012 breach.
Google’s new tool doesn’t save or view your passwords to match it with its database of hijacked credentials, according to Google.
The 4 billion credentials in Google’s database are hashed and encrypted, and so are the passwords and usernames a person would type in to compare using the Chrome extension. It uses a cryptography technique called ‘blinding’ so Google can compare your passwords without ever needing to view them.
Hacks happen almost daily, but you’re not expected to check every day to see if your account information was leaked in a breach. People simply have a hard time staying on top of security-related matters. Up to 69 percent of respondents to Google’s survey said they were excellent at protecting their own accounts, yet only 32 percent even knew what phishing and two-factor authentication are.
Password Checkup is designed to fill that security gap by automatically checking and warning people if they could be impacted by a potential hack.
‘We felt this was important and tried to do this as a community service and help our users everywhere,’ said Elie Bursztein, Google’ anti-abuse research team lead.