“Passwords are one of the worst things on the internet,” Mark Risher, Google’s senior director for account security, identity, and abuse told The Verge. Though they’re essential for security and to help people log in to many apps and websites, “they’re one of the primary, if not the primary, ways that people actually end up getting compromised.”
It’s a strange thing for a Google security executive to say because the last time you logged into Gmail, you probably typed in a password. But the company has been trying to nudge users away from the model for years, or at least minimize the damage. And in the coming weeks, one of Google’s quietest tools in that fight — the Password Checkup plugin — will be getting a higher profile, as it joins the Security Checkup dashboard built into every Google account.
Risher is right to be concerned. Though you can use a tool like a password manager to help keep track of your logins, a lot of people just end up reusing passwords for many accounts. Fifty-two percent of people reuse the same password for multiple accounts, according to the results of a poll published in February 2019 by Google and polling firm Harris. Thirteen percent of people reuse that password for all of their accounts, that poll found. And Microsoft said in 2019 that 44 million Microsoft accounts used logins that had been leaked online.
While reusing passwords can be one way to remember a complex word, phrase, or combination of letters, numbers, and symbols that you think no one will ever be able to guess, the practice can put your personal information in danger. If that reused password gets leaked as part of a data breach, hackers could then have the key to many of your other online accounts — no matter how complex the phrase is.
“We know from other research we’ve done in the past that people who’ve had their data exposed by a data breach are 10 times more likely to be hijacked than a person that’s not exposed by one of these breaches,” said Kurt Thomas, a member of Google’s anti-abuse and security research team.
Google has been trying to help users build better password habits for some time, slowly but surely. For years, the company has offered a built-in password manager in Google Accounts on Chrome and Android that can save your passwords and autofill them on websites and apps, for example. But over the past year or so, Google has also been working to help people proactively make better passwords with Password Checkup. The tool checks logins against a database of 4 billion leaked credentials, seeing if the password you’re typing in matches one that’s already leaked.
It’s not a new idea, but Google is uniquely well-positioned to offer something like Password Checkup. The company has access to billions of passwords and the scale to roll out Password Checkup to billions of users in a way that integrates with account security tools on which many people already rely.
Figuring out how to let Password Checkup flag compromised credentials in a privacy-respecting way was a tough technical problem that required a combined effort from both Google and Stanford. The challenge was finding a way to automatically check a user’s credentials against a database of breached logins without revealing that information to Google or giving the user access to the whole database, all while scaling that solution to Google’s huge user base, researchers from both organizations told me.
To do so, Google stores a hashed and encrypted version of every known username and password exposed by a data breach. Whenever you log into an account, Google will send a hashed and encrypted version of your login info against that database. That way, Google can’t see your password, and you can’t see Google’s list of known-compromised logins. If Google detects a match, Google will show an alert recommending that you change your password for that site.
Google gets compromised logins from “multiple different sources and trusted partners,” Thomas said, including underground forums where password dumps are openly shared. “We have an ethical policy that we will never pay criminals for stolen data,” he continued. “But just by virtue of how these markets work, very often, [stolen data] will bubble up and become available.” Using personas Google has in those marketplaces, the company can acquire the data, he said.
Password Checkup took about two to three years from inception to having it appear in many Google products, according to Thomas. Down the line, Google wants to have Security Checkup email you when it detects that a stored login has been compromised in a data breach, which the company plans to launch in the coming months. And later this year, Google aims to let people use Password Checkup in Chrome even if they aren’t logged into a Google account.
Google isn’t the only company to offer some kind of password-checking functionality. Paid password manager 1Password recommends changing weak or duplicated passwords and also offers Watchtower, which checks your logins against Troy Hunt’s Have I Been Pwned database of more than 9 billion compromised accounts and flags any matches. And Apple announced yesterday that its next version of Safari will have a password-monitoring tool that appears to work similarly to Password Checkup.
But Google has an advantage in helping people with their passwords thanks to its massive scale. And tools like Password Checker and the built-in password manager ladder up to a broader goal to make online security easier for users.
“What I like security to be — and what I think [Password Checker] is a good example of — is, ‘how do you make it easier for regular people to do the right thing?’” Google’s VP of security engineering Royal Hansen told The Verge. “It’s not about alerting you with more and more problems,” he said. “It’s about making it easier for you to do, frankly, the most basic step.”