Mark Risher, Google's senior executive for the company safety accounts, identity and abuse, he told The Verge that passwords is one of the worst things on the Internet, claiming that although it is necessary for the safety and connection of individuals in many applications and site, is probably the main factor that leads to the violation of user systems. Strange as it may seem, a Google security officer says this because of the connection to gmail, need a password. However, the company has been trying to keep users away from this model for years, or at least minimize it. One of the most "silent" tools of Google in this endeavor, the Password Checkup plugin, will become better known as it is linked to the Security Checkup table that is embedded in every Google account. Although users can use a tool, such as a password manager, to monitor their login credentials, many end up reusing the same passwords on multiple accounts.
Indicatively, 52% of users choose to reuse the same passwords on multiple accounts, while 13% use the same passwords on all their accounts, according to the results of a survey published in February 2019 by Google and company Harris. The Microsoft said in 2019 that 44 million Microsoft accounts used leaked Internet connections. While reusing passwords on more than one account can be a way for users to remember a complex word, phrase or combination of letters, numbers and symbols that they think no one will ever be able to guess, in practice this can put you in risk their personal data and data. If this reusable password is leaked after a data breach, hackers could gain access to many of a user's other online accounts, no matter how complex the password set. According to Kurt Thomas, a member of Google's security and abuse research team, data have leaked, they are 10 times more likely to experiment, compared to a person who has not been exposed to a breach.
Google is trying to help users adopt better habits in terms of passwords. For years, the company has been offering a built-in password manager on Google accounts. Chrome and Android which can store users' passwords and automatically fill them in on sites and applications. However, since last year, Google has been trying to help users prevent more powerful passwords by checking passwords. It is a tool that controls connections to a database of 4 billion credentials that have leaked, seeing if the password entered by a user corresponds to the one that has already been leaked.
Understanding how to let go Password Checkup Breaking credentials in a way that respects confidentiality was a difficult technical problem that required a joint effort by Google and Stanford University. The challenge was to find a way to automatically check a user's credentials in a breached database without revealing this information to Google or giving the user access to the entire database, while at the same time escalating this solution to the huge user base. of Google. To do this, Google saves an encrypted version of any known username and password that is exposed to data breach. Each time a user connects to an account, Google will send an encrypted version of their login information to that database. That way, Google can't see its password and it can't see the list of known Google infringements. If Google detects a match, it will display a notification recommending the user to change their password for this site. Google receives compromised links from many different sources and trusted partners, including underground forums where passwords are publicly disclosed.
The company has a moral policy that it would never pay cybercriminals for stolen data. But due to the way these markets work, very often stolen data will leak. Using Google's personas in these markets, the company can get the data. It took about two to three years from the release of Password Control to appear on many Google products, according to Thomas. Google wants to notify users when it detects that a stored connection has been compromised. Over the course of the year, Google plans to allow users to use Chrome password control, even if they are not connected to a Google account.
Google is not the only company offering password control. The 1Password payment code administrator suggests changing weak or duplicate passwords and offers Watchtower, which controls users' login credentials based on Troy Hunt's Have I Been Pwned database with more than 9 billion match-fixes and infringed accounts. . Still, the Apple announced that its next version Safari will include a password tracking tool that is expected to work similar to Password Control. However, Google has the advantage of helping users with passwords thanks to its large scale. Tools such as Password Checker and built-in password management achieve a broader goal to make security easier for Internet users.