Google’s Password Checkup extension for its Chrome browser, which was announced in February this year, will get two new features. The extension from Google displays a warning when a user is signing into a site with username or password that is unsafe, especially if it was compromised in any previous third-party data breach.
One reason why Google came up with the Password Checkup extension is that users still tend to recycle their passwords, even ones which are unsafe and may have been compromised in the past. There are sites likes Have I Been Pwned, which offer similar services as well.
In a blog post, Google announced that it will add a feedback mechanism to the Password Checkup extension on Chrome. Google says this will let users alert them about any issues via a quick comment box.
The second feature to Password Checkup extension will ensure more control over data to users by letting them opt-out of the anonymous telemetry that the extension reports. The anonymous telemetry includes the number of lookups which surface an unsafe credential, whether an alert leads to a password change, and the domain involved for improving site coverage, notes the blog.
Google says that the Password Checkup extension is designed to ensure that the company does not learn of the username or password, even if the telemetry feature is enabled. The option is already live and can be seen in the advanced settings of the extension.
The company also revealed some learning from the Password Checkup extension. According to Google, over 650,000 people have participated this experiment since the Password Checkup extension was announced. In the first month, the extension scanned 21 million usernames and passwords and flagged over 316,000 passwords as unsafe. This was close to 1.5 per cent of the sign-ins scanned by the extension.
Google also revealed that based on the anonymous data reported by the Password Checkup extension, they found that users continued to reuse breached, unsafe credentials for sensitive items like finance, government, and even email accounts.
The blog post notes, “outside the most popular web sites, users are 2.5X more likely to reuse vulnerable passwords, putting their account at risk of hijacking.” Users opt to reset 26 per cent of the unsafe passwords flagged by the extension. Also 60 per cent of new passwords are secure against guessing attacks.
Another report on 9to5Google has revealed that Google could integrate the extension directly into Chrome. The report is based on information from the Chromium Bug Tracker, where some code changes give an indication of how it will work. It says the feature could be released in late October.