Google’s new Chrome Extension automatically checks your passwords are still secure

By Jon Porter

Illustration by Alex Castro / The Verge

A new Chrome Extension from Google called Password Checkup will automatically check whether your passwords have been exposed in a data breach. Once installed, the extension checks any login details you use — Google says “most” US sites are supported — against a database of around four billion usernames and passwords, and warns you if it finds a match.

Password breaches are an unfortunately common occurrence, but so long as you’re using a unique password for each website it’s normally fairly simple to deal with. Just change the login credentials used with the breached website, and move on. Unfortunately, when massive breaches like Collection #1 compromise so many different passwords it can be impossible to know which of yours are still safe. That’s where Google’s new extension comes in.

Password Checkup lives in your browser bar where it will alert you about any issues.
Image: Google

Since Password Checkup relies on sending your confidential information to Google, the company is keen to emphasize that this is encrypted, and that it has no way of seeing your data. Passwords in the database are stored in a hashed and encrypted form, and any warning that’s generated about your details is entirely local to your machine.

Google isn’t the only company to offer such a service. 1Password’s robust password manager includes Watchtower integration to compare your passwords against Have I Been Pwned’s database of breached credentials. Google’s extension is free and you can use Chrome’s built-in password generator to generate a new password if you find one of yours has been compromised.

While it sounds like a useful extension, ultimately Password Checkup further underlines how terrible passwords are as a means of keeping your accounts secure. Standards like WebAuthn, which replaces your password with a hardware token that only you have access to, are promising, but so few sites currently support the standard that it’s not really viable for widespread use. Two-factor authentication is another useful layer of security but, it too has limitations.

So for the time being we’re going to repeat the same advice we give every time we talk about passwords. You should use a password manager, you should use a unique password for every site, you should change any affected passwords the moment you hear about a breach, and you should turn on two-factor authentication for all sites that support it. The difference, now, is that you should also consider installing Chrome Password Checkup extension.