Chrome's Password Safety Tool Will Now Automatically Run in the Background (theverge.com) 39
Google's Safety Check feature for Chrome, which, among other things, checks the internet to see if any of your saved passwords have been compromised, will now "run automatically in the background" on desktop, the company said in a blog post on Thursday. From a report: The constant checks could mean that you're alerted about a password that you should change sooner than you would have before. Safety Check also watches for bad extensions or site permissions you need to look at, and you can act on Safety Check alerts from Chrome's three-dot menu. In addition, Google says that Safety Check can revoke a site's permissions if you haven't visited it in a while. Google also announced an upcoming feature for Chrome's tab groups, also on desktop: Chrome will let you save tab groups so that you can use those groups across devices, which might be handy when moving between a PC at home and a laptop when traveling. Google says this feature will roll out "over the next few weeks."
How does this work? (Score:4, Insightful)
> checks the internet to see if any of your saved passwords have been compromised
So... share my passwords with a database that could by hacked, thus compromising my passwords?
Re: (Score:3, Informative)
So... share my passwords with a database that could by hacked, thus compromising my passwords?
That hashed database is on your computer. Chrome downloads updates made to it occasionally.
So yes, if your local computer is hacked, ALL of your passwords on that local hacked computer are compromised.
The online copy of the database doesn't need to be hacked, as it is publicly available for download, and only contains hashed credentials that have already been compromised.
Re: (Score:2)
Re: (Score:2)
Doesn't really matter except for severity.
Even if only compromised credentials are kept, hashed, on a Google server and shared to Chrome clients... that's essentially a lovely thing for a rainbow table to process and let more bad people know about the credential sets.
Maybe I'm missing something there too, but not a lot of people use 15+ character passwords, and that was the minimum secure length over a decade ago.
Re: (Score:2)
The tables are there and easy to grab. If you care about it, you already can fetch it.
https://github.com/HaveIBeenPw... [github.com]
Given that these are all from breaches, known compromised passwords, offered up without assocication to usernames or sites, and in a one-way hash, I think there's no further compromise to be had. Yes you can trivially crack the whole list to get a dictionary of passwords to add to a dictionary attack, but that ship sailed years and years ago. You get a list of passwords known to be well
Re: (Score:1)
Yes, password security was significantly better a decade ago. The megacorps have been doing everything they can to neuter passwords and kill them off. e.g.: even though you may have previously used much more secure CorrectHorseBatteryStaple-style password phrases, Windows Hello now makes you sign in with a stupid 6 digit PIN.
If you spend any time on StackOverfl
Re: (Score:2)
Advance disclaimer: I have no idea how it actually works.
That said, I suspect it will go through your passwords stored in chrome, and query the DB of hacked info for site/login and get back the (hashed?) password, and compare it locally.
Re: (Score:2)
Re: (Score:2)
I doubt the full DB is hosted locally. The full "Have I been pwned" DB is somewhere over 65GB in size.
However, this only gets done to passwords you've already trusted Google with, so you aren't divulging *new* data to them.
Even assuming it's software that was delegating to, say, haveibeenpwned, then it'd just ask for, say, all hashes that begin with the hash 'A83CD'. Which if your password was compromised and an attacker knew it started with A83CD, it would, currently, narrow their dictionary to 859 pass
Re: (Score:2)
When I did this for home, I downloaded the entire have I been p0wned dataset and locally processed it.
Now doing that is a bit heavyweight to do on every client instance for a browser, however this is only running for passwords you are *already* syncing up with Google's infrastructure anyway. I wager Google is keeping this facility "on premise" for them and thus your password is at no additional risk than it already may be.
Now if I were offering this with a lightwieght on-device password manager, I'd be tem
Re: (Score:2)
Now doing that is a bit heavyweight to do on every client instance for a browser, however this is only running for passwords you are *already* syncing up with Google's infrastructure anyway. I wager Google is keeping this facility "on premise" for them and thus your password is at no additional risk than it already may be.
It's done locally, not on the server. It couldn't be done on the server because you have the option of encrypting the password databased that is synced to Google, which would break a server-side implementation.
Instead, it's done with the "Have I been Pwned" strategy that you mentioned: Sending truncated hashes to a server that checks them against the database and sends any matches back for local comparison to your actual password.
Re: (Score:2)
> checks the internet to see if any of your saved passwords have been compromised
So... share my passwords with a database that could by hacked, thus compromising my passwords?
No.
The way it works is that your browser hashes your passwords locally and truncates the hashes to a few bits, short enough that lots of collisions are guaranteed. Then your browser sends the truncated hashes to the password check server, which compares them with truncated hashes from a database of known-compromised passwords, meaning passwords that have been exposed in data breaches. The server then sends back all of the known-compromised passwords whose truncated hashes match your password's truncated h
Re: (Score:2)
Chrome has a local database of common passwords, and passwords found in data breaches.
You can also use web services like Have I Been P0wned, which can check your password without you having to send it to them. Instead you send part of a hash of your password, and the site returns all matching hashes for you to check against locally.
I Guess Fuck Google Too (Score:3)
After years of posting 'Fuck Apple' comments, I guess it's time to add in Google. I've tried to avoid it. I've tried to overlook their idiocy and control ideas.
Fuck Google & Apple. Oh, and Chrome too.
Re: (Score:2)
It has been time to say "Fuck Google" for quite a while.
Re: (Score:2)
Sometimes I find myself unknowingly swimming in the river denial. I guess it's like the same issues I have with Microsoft except they try to keep the bullshit all inside. Google likes to let it out and my love affair with information retrieval from ages ago has clouded my lines of judgement and forgiveness.
Well, I'm wet and cold so I'm getting out of the river and going to dry off in my OpenSource tent.
Re: (Score:2)
What exactly do you think Chrome is doing?
What is wrong with checking a local database of known comprised passwords and warning you about any that you use is worthy of this reaction?
pigware (Score:1)
More crap to bog down a system running unnecessary crap in the background, just like their update checker. There is the kind of goodie-goodie that thinks they're making their mark on the world throwing this bullshit we didn't ask for into our face.
Re: (Score:2)
Note that if you had a 15 year old computer with no GPU available, you'd still chew through checking a thousand passwords in less than 1/60th of a second. This is not a big computational deal.
Re: (Score:2)
Re: (Score:1)
you're making a lot of assumptions on how their wares work, and I don't need their assumptions on doing something unnecessary to me.
Hopefully switching it off (Score:2)
To switch it off, go to "privacy and security" in the settings. Oh wait, they removed that menu option as well. So first, go to chrome://settings, then "privacy and security", and then switch to "basic protection". Yes, if you disabled all spy-services, you have to switch them temporarily ON. Then disable the "feature". Then switch back to whatever protection none if you want to.
That seems to do the trick, but I did not check my computer's network traffic.
Re:Hopefully switching it off (Score:4, Informative)
To switch it off, change to a different browser.
Re: (Score:2)
This.
Re: (Score:2)
To switch it off, change to a different browser.
I agree entirely. I would simply add "don't store passwords in your browser". It's not that much extra effort to open a password manager and copy / paste credentials. I do it all the time.
Switch to Edge! (Score:2)
Switch to Edge! It's so much better and since Microsoft only has your best interests at heart, you will never be disappointed. Never!
(Do I really have to tag this as sarkasm?)
The MS question applies to Google now, too? (Score:2)
I.e. "There's a new feature they launched, is there a way to disable it and if, how?"
Or you could not store passwords in your browser (Score:3)
Re: (Score:2)
I see it the other way. Google automatically looks for compromised passwords that I've saved. If I hadn't saved them, it would never know, and wouldn't be able to alert me when one of my passwords appears on the dark web somewhere. I prefer to know.
Re: (Score:2)
Seems to me like managing/storing passwords in the same software/process that is connecting to the Internet, downloading scripts/code, and executing them, is a bad idea. Using a separate password manager, running under a different security context than the browser (and not running when not needed) is a better idea.
If you're talking about web site passwords then there's no security benefit in keeping them outside of the browser's security context, since you're just going to give them to the browser every time you use them.
Clearly, there would be some security benefit in keeping passwords that aren't used on the web in a separate password manager. But most people don't have many of those these days.
Re: (Score:3)
Seems to me like managing/storing passwords in the same software/process that is connecting to the Internet, downloading scripts/code, and executing them, is a bad idea. Using a separate password manager, running under a different security context than the browser (and not running when not needed) is a better idea.
If you're talking about web site passwords then there's no security benefit in keeping them outside of the browser's security context, since you're just going to give them to the browser every time you use them.
Clearly, there would be some security benefit in keeping passwords that aren't used on the web in a separate password manager. But most people don't have many of those these days.
While that is true for the passwords you are actively using at the moment, it's not true for passwords for websites you are currently visiting. When passwords are stored in the browser, the browser itself has access to all those passwords. This means that the browser itself can upload them to wherever it wants, whenever it wants (with or without your permission). The browsers now mostly automatically patch themselves now. So if the browser developers decide that they want to test all your passwords for you,
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Any additional complexity you add to the password usage process leads to worse password practices. Google can get fucked for a lot of reasons, but browser based password management isn't one of them.
And comparing your password database with an online database of compromised passwords and warning you in advance if something is wrong is objectively a good thing.
Phone (Score:1)