Google wants Chrome users to avoid ‘boring’ security problems with new extension
Google on Tuesday introduced a new browser extension that will alert users when they’re relying on a compromised username and password combination.
The plug-in, called Password Checkup, warns Google Chrome users when they enter credentials that previously have been exposed by hacks into non-Google websites. The tool compares the user’s anonymized credentials with a database of names and passwords stolen in prior data breaches, then warns them that re-using the same information on multiple sites makes them especially vulnerable to hackers.
The plan resembles ongoing security awareness tools like Have I Been Pwned, the free website where visitors can check if their email address was caught in a breach. Mozilla has added a feature to its Firefox web browser that uses Have I Been Pwned’s information to warn users when they visit a website that recently experienced a data breach.
Password Checkup is the latest effort from Google to help unwitting users understand when other websites are putting their information at risk, said Emily Schechter, a product manager on Chrome’s security team. Password Checkup is distinct from existing tools like Security Checkup, which allows Google users to check if their accounts are vulnerable; Chrome’s password generator; the Titan security key; and the various Google Cloud offerings announced last year.
“The most boring-sounding issues still create the most problems for users,” Schechter said. “The Chrome extension is coming from the philosophy that we want to help people when they’re not on Google products.”
Attempted cyberattacks against Dunkin’ Donuts and HSBC bank, for example, were made possible in part because so many customers re-used their credentials.
Google also used Chrome to spread its Safe Browsing initiative, which uses a bright red security warning to alert users when they are visiting a website that fails to protect user connections with SSL encryption. The number of encrypted web pages climbed to 77 percent of the web in 2018, up from 67 percent the year before, according to the SSL advocacy group Let’s Encrypt.
“I don’t want people to need to know what SSL is or to need to know what a secure password is to stay secure online,” she said. “We can’t fault people for using software in ways that make sense for them. We need companies to make products in ways that actually work for people.”
Security researchers at Chrome now are conducting research to better understand how closely internet users read the URL in their browser bar. If users don’t try to decipher web addresses, that presents an opportunity for scammers who can redirect them to a website that looks legitimate but in fact is designed to steal their information, Schechter said.
“If people are using Chrome and all their data can be intercepted from a public cafe, that’s not good for the internet itself,” she said. “And if people don’t feel fundamentally safe using the internet, that wouldn’t be good for Google.”
