Google Launches Password Checkup Extension

cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
19,882
Google has announced a new extension for Google Chrome called Password Checkup that will monitor the passwords that you type into websites to see if they have been compromised in a third-party data breach. Google says it has access to over 4 billion credentials that have been compromised and Password Checkup will issue a warning if it detects you using a credential that is known to be unsafe. Google worked with cryptography experts at Stanford University to incorporate protections that ensure your privacy is maintained by encrypting your credentials and making sure that they are never revealed to Google. The tool also has safeguards built-in to keep hackers from abusing it to reveal unsafe usernames and passwords. The Password Checkup extension will be improved over the coming months with better site compatibility and password field detection.

At a high level, Password Checkup needs to query Google about the breach status of a username and password without revealing the information queried. At the same time, we need to ensure that no information about other unsafe usernames or passwords leaks in the process, and that brute force guessing is not an option. Password Checkup addresses all of these requirements by using multiple rounds of hashing, k-anonymity, private information retrieval, and a technique called blinding.
 

PeaKr

Gawd
Joined
Sep 6, 2004
Messages
874
People hate the passwords I come up with for routers, switches, vpns, admin and such. Usually something like this; .2ZwP41*hVx#Qkm9G.7. Cept my HardOCP password which is Passw0rd... i kid.
 

Seventyfive

[H]ard|Gawd
Joined
Jul 14, 2004
Messages
1,347
People hate the passwords I come up with for routers, switches, vpns, admin and such. Usually something like this; .2ZwP41*hVx#Qkm9G.7. Cept my HardOCP password which is Passw0rd... i kid.
Do they hate them because that password is impossible to remember and less safe than the password "hardocpbestkyleismykyle" ?
 

bobdabilder

Limp Gawd
Joined
Oct 7, 2009
Messages
291
Great idea, until we read the article where someone decrypted the 20 billion passwords that google had inadvertently stored up by accident cuz they not evil.
 

tordogs

Limp Gawd
Joined
Mar 25, 2010
Messages
489
A couple of secure websites I use have told me my passwords had been hacked/breached/shown up in the hacked database. Had to change them before I was allowed to log in. Like that idea--as long as the websites themselves are trustworthy. Not sure about the idea of all the browsers using this same information--rather have it on a per need basis.
 

PeaKr

Gawd
Joined
Sep 6, 2004
Messages
874
Do they hate them because that password is impossible to remember and less safe than the password "hardocpbestkyleismykyle" ?
19 digits of 83 chars vs 6 words, you sure? My math is rusty. Definitely easier to remember. I would also add that not being able to remember a password is a form of security in itself.
 
Last edited:

darckhart

Limp Gawd
Joined
Jun 15, 2013
Messages
238
hilariously bad suggestion. just like their URL suggestion.
I thought that all passwords are only ever stored as hashes anyway? so the only thing this plugin would check is if the hash entered matches a compromised hash. as I type this it occurs to me that google probably captures exact keystrokes on any field with user interaction and canvas fingerprints you so... never mind. back to hilariously bad suggestion.
 

Exavior

[H]F Junkie
Joined
Dec 13, 2005
Messages
9,683
Do they hate them because that password is impossible to remember and less safe than the password "hardocpbestkyleismykyle" ?
you can be hated for both.

Nobody liked when I tried to make a wifi key for our remote access points something along the lines of SecretWifiKeyForTechniciansUseOnlyToLogInRemotelyAndConnectToVPNToDoTheirJobsButKeepingAllPublicFromGettingFreeWifi!!!!
 

DNMock

Limp Gawd
Joined
Apr 16, 2015
Messages
399
"Yo dawg, I hear you like data breaches, so we took yo data that's been breached and put it into a database so your data that's been breached can get breached..."
 

Seventyfive

[H]ard|Gawd
Joined
Jul 14, 2004
Messages
1,347
19 digits of 83 chars vs 6 words, you sure? My math is rusty. Definitely easier to remember. I would also add that not being able to remember a password is a form of security in itself.
Characters are the only thing that matters because someone attacking your endpoint doesn't know that you didn't use characters so they have to assume you used characters. This is like how websites FORCE characters instead of just ALLOWING characters.

Also words are not less safe as long as the string of them are not from any books, movies, etc. If you did "allforoneandoneforall" that would be unsafe. Quotes from the bible are especially unsafe. As far as characters, most good brute forcing software will also auto try to substitute I with 1, O with 0, E with 3, etc...
 

zkostik

Gawd
Joined
Sep 17, 2009
Messages
929
hilariously bad suggestion. just like their URL suggestion.
I thought that all passwords are only ever stored as hashes anyway? so the only thing this plugin would check is if the hash entered matches a compromised hash. as I type this it occurs to me that google probably captures exact keystrokes on any field with user interaction and canvas fingerprints you so... never mind. back to hilariously bad suggestion.
In a good setup it should be saved as hash, in fact even sent over the network/internet as hash. As for this Google thing, it sounds like they may be checking actual credentials unless they're doing this as hash pairs or something along these lines. Either way, sounds like a bad idea which could potentially expose credentials. It also lets Google know which credentials go for which website and that in itself is totally unacceptable. Granted that this is an extension, it at least lets user install this if they are dumb enough. Though we can likely get a counter going until it's integrated into Chrome. This is yet another reason I don't use Chrome.
 

Exavior

[H]F Junkie
Joined
Dec 13, 2005
Messages
9,683
In a good setup it should be saved as hash, in fact even sent over the network/internet as hash. As for this Google thing, it sounds like they may be checking actual credentials unless they're doing this as hash pairs or something along these lines. Either way, sounds like a bad idea which could potentially expose credentials. It also lets Google know which credentials go for which website and that in itself is totally unacceptable. Granted that this is an extension, it at least lets user install this if they are dumb enough. Though we can likely get a counter going until it's integrated into Chrome. This is yet another reason I don't use Chrome.
Today it is an extension. Give it another 5 or so releases it could very well be built in but off by default for enhanced security, then another few releases and will be on by default for enhanced security.
 

Biznatch

2[H]4U
Joined
Nov 16, 2009
Messages
2,224
19 digits of 83 chars vs 6 words, you sure? My math is rusty. Definitely easier to remember. I would also add that not being able to remember a password is a form of security in itself.
It's all about the length. Making some wierd non-human readable password is not any harder for a computer than a sentence with multiple words. Each additional character increases the complexity of the password exponentially. So the longer the password the better.
https://xkcd.com/936/
 

zkostik

Gawd
Joined
Sep 17, 2009
Messages
929
It's all about the length. Making some wierd non-human readable password is not any harder for a computer than a sentence with multiple words. Each additional character increases the complexity of the password exponentially. So the longer the password the better.
https://xkcd.com/936/
Well, length and complexity. Though almost every place has a lockout so brute forcing isn't generally feasible so best thing is to use different passwords everywhere. It seems most credentials are compromised via poor software or hacking of some resource so in case of XKCD comic, I doubt one password is any better than the other unless you are literally brute forcing or trying to crack a hash maybe. I highly doubt anyone is going to bother with that so simply using a relatively long passphrase unique to each resource is likely good enough. Most credential and hash databases just rely on finding a credential pair for your account. It may very well also be fake info as well. Use two factor where possible as well.
 

Zarathustra[H]

I Complain about Everything
Joined
Oct 29, 2000
Messages
29,975
People hate the passwords I come up with for routers, switches, vpns, admin and such. Usually something like this; .2ZwP41*hVx#Qkm9G.7. Cept my HardOCP password which is Passw0rd... i kid.
A my passwords look something like that.

All generated using the automatic function in keepass.

Most of the time it is fine, except when setting up a new mobile device and needing to type the 64 character random password manually on a touch screen for first login :p
 

lcpiper

[H]F Junkie
Joined
Jul 16, 2008
Messages
10,611
Hey, lets introduce another vector where possible attacks can occur.

And, because they aren't just checking my password against previous passwords I have used on my accounts, my passwords much now work out unique against 4 billion compromised ones.

Shit, overkill much Google?

In three years, we'll run out of passwords.
 

Seventyfive

[H]ard|Gawd
Joined
Jul 14, 2004
Messages
1,347
Well, length and complexity.
I agree with everything you said, especially how a compromised password just gets compromised on one site then hammered across all other sites. The only place I disagree is complexity. If a system is known to allow complex passwords, that is enough. The password itself doesn't have to be complex because the hacker has to assume you made a complex password. Also agree most sites block multiple attempts; however, if someone stole an archive for example and they get infinite tries, even in that case most people don't brute. They will use a dictionary based attack that includes the top 1000 most common passwords, then a dictionary filled with common words and phrases and substitute characters with numbers, then do iterations of the previous 2 which include leading and trailing special characters. If someone is still alive long enough to try all that and still not get in, I guess at that point they can do a raw brute attack. But again, if I'm attacking a site, archive, wifi AP, etc... I always assume the password is complex. This is why the password itself doesn't have to be complex. Kind of weird logic.
 

naib

[H]ard|Gawd
Joined
Jul 26, 2013
Messages
1,289
19 digits of 83 chars vs 6 words, you sure? My math is rusty. Definitely easier to remember. I would also add that not being able to remember a password is a form of security in itself.
Obligatory XKCD

password_strength.png
 

zkostik

Gawd
Joined
Sep 17, 2009
Messages
929
I agree with everything you said, especially how a compromised password just gets compromised on one site then hammered across all other sites. The only place I disagree is complexity. If a system is known to allow complex passwords, that is enough. The password itself doesn't have to be complex because the hacker has to assume you made a complex password. Also agree most sites block multiple attempts; however, if someone stole an archive for example and they get infinite tries, even in that case most people don't brute. They will use a dictionary based attack that includes the top 1000 most common passwords, then a dictionary filled with common words and phrases and substitute characters with numbers, then do iterations of the previous 2 which include leading and trailing special characters. If someone is still alive long enough to try all that and still not get in, I guess at that point they can do a raw brute attack. But again, if I'm attacking a site, archive, wifi AP, etc... I always assume the password is complex. This is why the password itself doesn't have to be complex. Kind of weird logic.
But that's the funny thing, if you know a resource has infinite attempts and allows non complex passwords, outside of dictionary attach, you'd certainly first want to iterate simple passwords as there are way fewer options. I can't think of any online resource I use that doesn't have a lockout though. So perhaps some kind of wifi hacking may be feasible but most modern routers also have lockouts. Realistically your password doesn't have to be a completely random mess of characters, it just needs to be long, have varying case and be unique to reduce the likelihood of it being in some dictionary. But yeah, raw length is still kind if you potentially have to try different cases. XKCD cracking strength is not correct, it would be if you assume long password is also all characters and not just lower case and symbols. Either password would not be feasible to brute force outside dictionary attach or from known leaked passwords for a given user credentials.
 

PeaKr

Gawd
Joined
Sep 6, 2004
Messages
874
Yeah if your only using a complex password/passphrase to mitigate brute force your prolly not doing it right. This thread got me thinking, did some searching on the subject.
 

socK

2[H]4U
Joined
Jan 25, 2004
Messages
3,845
Great idea, until we read the article where someone decrypted the 20 billion passwords that google had inadvertently stored up by accident cuz they not evil.
If it's anything like HaveIBeenPwned, you do not send the password to the service when you run the check.

The client (you) hashes (using SHA1) the password and splits it into 2 parts - the first 5 digits, then the remaining 35. You only submit the first 5 digits, and the service replies back with a list of hashes (the 2nd half, 35 digits) that had the 5 digits you submitted at the start.

Your client then walks that list to see if anything matches. So you _never_ send the full password hash and only your client knows the end result.
 

naib

[H]ard|Gawd
Joined
Jul 26, 2013
Messages
1,289
Well I installed it since I have chrome store the passwords for the sites I permit (there are some I would never permit...)
Its dumb... I installed the extension and all good (nice green shield). yesterday I used a throwaway password to sign up to an electronics component site and the plugin immediately complained. It just checks if a site has been compromised, not whether your specific info is part of it

Untitled.png
 
Top