A Chrome web browser logo is seen on an Android portable device on February 5, 2018. (Photo by Jaap … [+]
NurPhoto via Getty Images
If you’re a Chrome user, Google is about to start warning you if your passwords have been stolen as you try to login to a given website.
Google had already released a browser extension that did just that earlier this year, but is now turning it on by default in upcoming releases of the Chrome browser, starting with version M79. Anyone whose password has been leaked in a breach previously-known to Google will receive a warning, suggesting they change their login information.
Users can control the new feature in Chrome Settings under Sync and Google Services. It’ll be gradually rolled out for everyone logged into Chrome.
How can Google do it?
Though Google will be watching as you enter your password, it won’t actually be able to see the login information. It’s able to do this using tried and tested encryption techniques that both allow it to check one password against a massive trove of stolen credentials without seeing the plain text.
As Google explained in a blog post sent to Forbes ahead of publication on Tuesday: “When you sign in to a website, Chrome will send a strongly hashed copy of your username and password to Google encrypted with a secret key only known to Chrome. No one, including Google, is able to derive your username or password from this encrypted copy.”
To do this, Google first turns the password you’re entering into what’s known as a hash by putting it through an algorithm that turns it into a collection of letters and numbers. That string – which might look something like 855c3697d9979e78ac404c4ba2c66533 – is the hash. If the same password exists in Google’s trove of previously-stolen logins, it would’ve gone through the same hashing algorithm and so a hash match will be found. That will show the password has been leaked without having to look at the actual login info.
There are other services available if you’d rather not sign into Google. One of the most popular is Troy Hunt’s haveibeenpwned.com. All users have to do is enter their username to see if their information has been leaked.
If you get any kind of warning, and haven’t done so already, it’d be wise to change those leaked passwords as soon as possible. They might give hackers a way into your online private life or your bank account. Going even further, you could download a password manager, which will help create unique passwords for each site you visit. And where it’s available, try using a second factor of authentication.