Google has had a rather nifty feature available to users of its Password Manager since 2019. That feature is a Password Checkup which analyses your passwords.
Through this analysis Password Checkup can tell you whether a password has been compromised, whether a password is too weak or whether you’re reusing a password.
Now Google is bringing this feature to Android users through Autofill with Google.
“Whenever you fill or save credentials into an app, we’ll check those credentials against a list of known compromised credentials and alert you if your password has been compromised. The prompt can also take you to your Password Manager page, where you can do a comprehensive review of your saved passwords. Password Checkup on Android apps is available on Android 9 and above, for users of Autofill with Google,” software engineer in the Android team, Arvind Sugumar, wrote in a blog post.
You will need to enable the Autofill with Google feature in order to take advantage of this feature.
Now, there are bound to be security concerns here and, thankfully, Sugumar addresses how the feature works so that users have a peace of mind.
“When the user interacts with a credential by either filling it into a form or saving it for the first time, we use the same privacy preserving API that powers the feature in Chrome to check if the credential is part of the list of known compromised passwords tracked by Google,” the engineer explained.
Rather importantly, only the first 3.25 bytes of a hashed username are sent to Google servers. Google servers then return a list of encrypted hashes from known breaches to the device. With this list on the device a check is done to determine whether credentials have been breached and the users is alerted.
Google reiterates several times that it does not have access to unencrypted hashes of passwords and users don’t have unencrypted hashes of potentially breached credentials.
This seems like a clever idea and we hope that it has the muster to stand up to the efforts of cybercriminals.
While this all sounds very secure, we would still highly recommend using a bespoke password management service. While they can be pricey, the feature sets are great and the peace of mind is priceless.
This is not a slight against Google mind you, the introduction of Password Checkup for Android is a really great feature for folks who don’t use a password manager. Perhaps this feature will inspire more folks to consider using a service that makes remembering complex passwords a thing of the past.