Ransomware may be the scariest type of malware, but at least you know when your computer has been hijacked. Data breaches — we’ve had countless attacks affecting millions of users over just the past year — are even more concerning because a) you may not know for months that personal information has been stolen, b) you can never be sure when your credentials could be used to gain entry into an account, and c) there’s not a whole lot you can do to protect your data — it’s up to the government entities, banks and retailers who store your data.
Here’s some good news. A new Chrome extension from Google called Password Checkup will automatically check whether your passwords have been exposed in a data breach. All you have to do is install it. Once it has been activated in your Chrome browser, the extension checks any login details you use against a database of more than 4 billion usernames and passwords, and warns you if it finds a match. The big red alert then makes it easy for you to change the password for the breached account, and any other accounts in which you have used that same password. (It is never a good idea to use a password for multiple accounts; passwords should be one-time use only to prevent one exposure leading to many.)
Google said its new extension is an “experiment,” an expansion of a data security practice it has used on Google accounts over the past two years. Google regularly resets the passwords of Google accounts affected by third-party data breaches in the event of password reuse, the company explained in a blog post. “This strategy has helped us protect over 110 million users in the last two years alone,” Google said. Last week, Google released the new extension that protects not only your Google accounts like YouTube and Gmail, but the majority of websites served in the U.S.
You may be concerned about Google having access to your login credentials, but the company has made it clear that it does not. In fact, Password Checkup was developed with cryptology experts at Stanford University to make sure your passwords remain secure.
Without going into the technical detail, here’s how it works: When you log in to a website, Password Checkup automatically encrypts and sends the data to Google. If a match to a known unsafe password is found, Google stores a hashed, partial code for that information in your Chrome browser. This partial code can’t be used to recreate a complete version of your information.
Ready to install Password Checkup? Head over to the Chrome Web Store at https://chrome.google.com. Type in “Password Checkup” in the search box. As I wrote this, Password Checkup was the only result in the store, but as with any app or extension, make sure you are selecting the authentic product. Here you will see “offered by: google.” Click on the install button and confirm that you want to install it. You’ll then see the green Password Checkup icon in your tool bar. Go ahead and click on it, and hopefully you’ll see the same message I did: “None of your recently used passwords were detected in a data breach.”
If the time comes when you do get an alert that a password you are using is unsafe, here’s what you should do. Sign in to the account with the unsafe password. Create a new, strong password for the account and any other accounts that use the same password. If the site offers another security measure, like Two-Step Verification, set that up if possible. You’ll need a phone that can receive text messages. Next time you log in, the account will send a code to your phone that you will enter along with your password.
While Password Check can’t stop you from being affected by data breaches, it can let you know when your password has been compromised. Do note that the extension offers protection for only your login credentials, not other personal data that could have been stolen. However, knowing your password has been stolen from a particular account is a good heads up for checking other information associated with it, such as a credit card, and improves your chances of minimizing any damage.