cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
22,060
Google has announced a new extension for Google Chrome called Password Checkup that will monitor the passwords that you type into websites to see if they have been compromised in a third-party data breach. Google says it has access to over 4 billion credentials that have been compromised and Password Checkup will issue a warning if it detects you using a credential that is known to be unsafe. Google worked with cryptography experts at Stanford University to incorporate protections that ensure your privacy is maintained by encrypting your credentials and making sure that they are never revealed to Google. The tool also has safeguards built-in to keep hackers from abusing it to reveal unsafe usernames and passwords. The Password Checkup extension will be improved over the coming months with better site compatibility and password field detection.

At a high level, Password Checkup needs to query Google about the breach status of a username and password without revealing the information queried. At the same time, we need to ensure that no information about other unsafe usernames or passwords leaks in the process, and that brute force guessing is not an option. Password Checkup addresses all of these requirements by using multiple rounds of hashing, k-anonymity, private information retrieval, and a technique called blinding.
 
People hate the passwords I come up with for routers, switches, vpns, admin and such. Usually something like this; .2ZwP41*hVx#Qkm9G.7. Cept my HardOCP password which is Passw0rd... i kid.
 
People hate the passwords I come up with for routers, switches, vpns, admin and such. Usually something like this; .2ZwP41*hVx#Qkm9G.7. Cept my HardOCP password which is Passw0rd... i kid.

Do they hate them because that password is impossible to remember and less safe than the password "hardocpbestkyleismykyle" ?
 
Great idea, until we read the article where someone decrypted the 20 billion passwords that google had inadvertently stored up by accident cuz they not evil.
 
A couple of secure websites I use have told me my passwords had been hacked/breached/shown up in the hacked database. Had to change them before I was allowed to log in. Like that idea--as long as the websites themselves are trustworthy. Not sure about the idea of all the browsers using this same information--rather have it on a per need basis.
 
Do they hate them because that password is impossible to remember and less safe than the password "hardocpbestkyleismykyle" ?

19 digits of 83 chars vs 6 words, you sure? My math is rusty. Definitely easier to remember. I would also add that not being able to remember a password is a form of security in itself.
 
Last edited:
hilariously bad suggestion. just like their URL suggestion.
I thought that all passwords are only ever stored as hashes anyway? so the only thing this plugin would check is if the hash entered matches a compromised hash. as I type this it occurs to me that google probably captures exact keystrokes on any field with user interaction and canvas fingerprints you so... never mind. back to hilariously bad suggestion.
 
Do they hate them because that password is impossible to remember and less safe than the password "hardocpbestkyleismykyle" ?

you can be hated for both.

Nobody liked when I tried to make a wifi key for our remote access points something along the lines of SecretWifiKeyForTechniciansUseOnlyToLogInRemotelyAndConnectToVPNToDoTheirJobsButKeepingAllPublicFromGettingFreeWifi!!!!
 
"Yo dawg, I hear you like data breaches, so we took yo data that's been breached and put it into a database so your data that's been breached can get breached..."
 
19 digits of 83 chars vs 6 words, you sure? My math is rusty. Definitely easier to remember. I would also add that not being able to remember a password is a form of security in itself.

Characters are the only thing that matters because someone attacking your endpoint doesn't know that you didn't use characters so they have to assume you used characters. This is like how websites FORCE characters instead of just ALLOWING characters.

Also words are not less safe as long as the string of them are not from any books, movies, etc. If you did "allforoneandoneforall" that would be unsafe. Quotes from the bible are especially unsafe. As far as characters, most good brute forcing software will also auto try to substitute I with 1, O with 0, E with 3, etc...
 
hilariously bad suggestion. just like their URL suggestion.
I thought that all passwords are only ever stored as hashes anyway? so the only thing this plugin would check is if the hash entered matches a compromised hash. as I type this it occurs to me that google probably captures exact keystrokes on any field with user interaction and canvas fingerprints you so... never mind. back to hilariously bad suggestion.

In a good setup it should be saved as hash, in fact even sent over the network/internet as hash. As for this Google thing, it sounds like they may be checking actual credentials unless they're doing this as hash pairs or something along these lines. Either way, sounds like a bad idea which could potentially expose credentials. It also lets Google know which credentials go for which website and that in itself is totally unacceptable. Granted that this is an extension, it at least lets user install this if they are dumb enough. Though we can likely get a counter going until it's integrated into Chrome. This is yet another reason I don't use Chrome.
 
In a good setup it should be saved as hash, in fact even sent over the network/internet as hash. As for this Google thing, it sounds like they may be checking actual credentials unless they're doing this as hash pairs or something along these lines. Either way, sounds like a bad idea which could potentially expose credentials. It also lets Google know which credentials go for which website and that in itself is totally unacceptable. Granted that this is an extension, it at least lets user install this if they are dumb enough. Though we can likely get a counter going until it's integrated into Chrome. This is yet another reason I don't use Chrome.

Today it is an extension. Give it another 5 or so releases it could very well be built in but off by default for enhanced security, then another few releases and will be on by default for enhanced security.
 
19 digits of 83 chars vs 6 words, you sure? My math is rusty. Definitely easier to remember. I would also add that not being able to remember a password is a form of security in itself.

It's all about the length. Making some wierd non-human readable password is not any harder for a computer than a sentence with multiple words. Each additional character increases the complexity of the password exponentially. So the longer the password the better.
https://xkcd.com/936/
 
It's all about the length. Making some wierd non-human readable password is not any harder for a computer than a sentence with multiple words. Each additional character increases the complexity of the password exponentially. So the longer the password the better.
https://xkcd.com/936/

Well, length and complexity. Though almost every place has a lockout so brute forcing isn't generally feasible so best thing is to use different passwords everywhere. It seems most credentials are compromised via poor software or hacking of some resource so in case of XKCD comic, I doubt one password is any better than the other unless you are literally brute forcing or trying to crack a hash maybe. I highly doubt anyone is going to bother with that so simply using a relatively long passphrase unique to each resource is likely good enough. Most credential and hash databases just rely on finding a credential pair for your account. It may very well also be fake info as well. Use two factor where possible as well.
 
People hate the passwords I come up with for routers, switches, vpns, admin and such. Usually something like this; .2ZwP41*hVx#Qkm9G.7. Cept my HardOCP password which is Passw0rd... i kid.

A my passwords look something like that.

All generated using the automatic function in keepass.

Most of the time it is fine, except when setting up a new mobile device and needing to type the 64 character random password manually on a touch screen for first login :p
 
Hey, lets introduce another vector where possible attacks can occur.


And, because they aren't just checking my password against previous passwords I have used on my accounts, my passwords much now work out unique against 4 billion compromised ones.

Shit, overkill much Google?

In three years, we'll run out of passwords.
 
Well, length and complexity.

I agree with everything you said, especially how a compromised password just gets compromised on one site then hammered across all other sites. The only place I disagree is complexity. If a system is known to allow complex passwords, that is enough. The password itself doesn't have to be complex because the hacker has to assume you made a complex password. Also agree most sites block multiple attempts; however, if someone stole an archive for example and they get infinite tries, even in that case most people don't brute. They will use a dictionary based attack that includes the top 1000 most common passwords, then a dictionary filled with common words and phrases and substitute characters with numbers, then do iterations of the previous 2 which include leading and trailing special characters. If someone is still alive long enough to try all that and still not get in, I guess at that point they can do a raw brute attack. But again, if I'm attacking a site, archive, wifi AP, etc... I always assume the password is complex. This is why the password itself doesn't have to be complex. Kind of weird logic.
 
19 digits of 83 chars vs 6 words, you sure? My math is rusty. Definitely easier to remember. I would also add that not being able to remember a password is a form of security in itself.
Obligatory XKCD

password_strength.png
 
I agree with everything you said, especially how a compromised password just gets compromised on one site then hammered across all other sites. The only place I disagree is complexity. If a system is known to allow complex passwords, that is enough. The password itself doesn't have to be complex because the hacker has to assume you made a complex password. Also agree most sites block multiple attempts; however, if someone stole an archive for example and they get infinite tries, even in that case most people don't brute. They will use a dictionary based attack that includes the top 1000 most common passwords, then a dictionary filled with common words and phrases and substitute characters with numbers, then do iterations of the previous 2 which include leading and trailing special characters. If someone is still alive long enough to try all that and still not get in, I guess at that point they can do a raw brute attack. But again, if I'm attacking a site, archive, wifi AP, etc... I always assume the password is complex. This is why the password itself doesn't have to be complex. Kind of weird logic.

But that's the funny thing, if you know a resource has infinite attempts and allows non complex passwords, outside of dictionary attach, you'd certainly first want to iterate simple passwords as there are way fewer options. I can't think of any online resource I use that doesn't have a lockout though. So perhaps some kind of wifi hacking may be feasible but most modern routers also have lockouts. Realistically your password doesn't have to be a completely random mess of characters, it just needs to be long, have varying case and be unique to reduce the likelihood of it being in some dictionary. But yeah, raw length is still kind if you potentially have to try different cases. XKCD cracking strength is not correct, it would be if you assume long password is also all characters and not just lower case and symbols. Either password would not be feasible to brute force outside dictionary attach or from known leaked passwords for a given user credentials.
 
Yeah if your only using a complex password/passphrase to mitigate brute force your prolly not doing it right. This thread got me thinking, did some searching on the subject.
 
Great idea, until we read the article where someone decrypted the 20 billion passwords that google had inadvertently stored up by accident cuz they not evil.

If it's anything like HaveIBeenPwned, you do not send the password to the service when you run the check.

The client (you) hashes (using SHA1) the password and splits it into 2 parts - the first 5 digits, then the remaining 35. You only submit the first 5 digits, and the service replies back with a list of hashes (the 2nd half, 35 digits) that had the 5 digits you submitted at the start.

Your client then walks that list to see if anything matches. So you _never_ send the full password hash and only your client knows the end result.
 
Well I installed it since I have chrome store the passwords for the sites I permit (there are some I would never permit...)
Its dumb... I installed the extension and all good (nice green shield). yesterday I used a throwaway password to sign up to an electronics component site and the plugin immediately complained. It just checks if a site has been compromised, not whether your specific info is part of it

Untitled.png
 
Back
Top