Password Checkup extension checks passwords with a base of 4 billion compromised accounts

Recently, hackers laid out in open access to the collection number 1-5 - a total of about 2.7 billion accounts with passwords (magnet links: collection number 1 , collection number 2-5 ). For many years these passwords were collected from all available sources, including from Russian sites. Everyone can check for their password in the database by entering its hash on the Have I Been Pwned website (HIBP) or in the Firefox Monitor service. Now there is another way to do this - through the new Password Checkup extension for Chrome.

Password Checkup verifies the authenticity of a password on any site. If a user enters compromised accounting data somewhere, the extension signals this.

Like Firefox Monitor, the extension sends to the server for verification not the password itself, but its hash. See the detailed description of the cryptographic scheme , which is schematically shown in the illustration below.



Google claims that the reconciliation is carried out on the basis of 4 billion accounts . This is more than what HIBP has: it is possible that the company owns a database of passwords that have not yet been made publicly available.

Google notes that on its sites, users are protected from leaks automatically. The company constantly scans the hacker database. If a password for a Google Account is noticed in any of the leaks, it is automatically deactivated. This measure has already allowed ten times to reduce the theft of Google accounts.