Google Chrome will check for breached credentials every time you sign in anywhere

Google Chrome will check for breached credentials every time you sign in anywhere

Double-encrypted. That said, if you're worried about over-sharing, what are you doing on Chrome?


A new feature in Google's Chrome browser will warn you if your username and password matches a known combination in a data breach every time you type credentials into any website.


This credential check is "gradually rolling out for everyone signed into Chrome" as part of the Safe Browsing option, according to the announcement.


The potential worry here is that sending your credentials to Google for checking could itself be a security risk. The technology used was announced nine months ago, when the Password Checkup extension was introduced. At the time it was described as an "early experiment". The way it works is as follows:


  • Google maintains a database of breached usernames and passwords, hashed and encrypted. In other words, the username/password combinations are not stored, only the encrypted hash.

  • When you type in your credentials, the browser sends a hashed and encrypted copy of the credentials to Google, where the key used for encryption is private to the user. In addition, it sends a "hash prefix" of the account details, not the full details.

  • Google searches the breach database for all credentials matching the hash prefix and sends the results back to the browser. These are encrypted with a key known only to Google. In addition, Google encrypts your credentials with this same key – so it is now doubly encrypted.

  • The final check is local. Chrome decrypts the credentials using your private key, yielding a copy encrypted only with Google's key. This is then compared to the va ..