In light of the news that Google has launched an extension, “Password Checkup”, that will show a warning when it detects a password that has been exposed online, IT security experts commented below.
Jake Moore, Cyber Security Expert at ESET UK:
“This is an excellent way to remind many people about their possibly weak or compromised passwords that need to be updated. It would be an incredible feat to have not had one of your passwords stolen in a data breach in recent years, so hopefully Google’s new tool will be a way of highlighting this and reminding you to change it.
For those who might feel uncomfortable checking their passwords with such a tool, Google has reassured that it has all the necessary security in place. Furthermore, if you don’t feel confident putting in your passwords into this new extension, after all the recent new breaches there’s no better time for users to update all their passwords anyway.”
Martin Cannard, VP, Privileged Access Management Product Strategy at STEALTHbits Technologies:
“While I applaud Google for taking steps to keep people aware of breached passwords, this is not an “easy” button to better security. Users have to leverage password managers to ensure strong unique passwords are used for all online sites. Credential stuffing is a more effective hack if you reuse passwords for more than one site. The Password Checkup tool should be used in conjunction with a password management tool to be totally effective.”
.
Ameya Talwalkar, Co-founder and CPO at Cequence:
This is a great move from Google because it can strengthen the security posture of millions of Google Chrome users. “Credential Checking” attacks, which exploit stolen credentials available on the dark web, have increased in volume and sophistication. Thousands of enterprises and literally billions of end-users are suffering because of this problem. Efforts by Google and others to warn users about their credentials will help put a spotlight on a big problem the industry faces at the moment.
.
Byron Rashed, VP of Marketing at Centripetal Networks:
“Compromised credentials are the basis for a threat actor to perform network infiltration, data exfiltration, spoofing, account takeover, stolen PII, and various other malicious activities that can create huge risks for businesses and individuals. Most Internet users (consumers) do not have even a basic knowledge of what a compromised credential is, or the ramifications of having their credentials stolen.
“Most likely Google is obtaining these credentials from dumps that are readily available and most likely have been for sale or trade in the underground economy. The real challenge of mitigating risk with regard to compromised credentials is to obtain the list from the threat actor before it is available for sale or on dump sites that are public. Most compromised credential sites only deliver those credentials that are already available. However, there is value into that since the credential may not be leveraged by cybercriminals…yet, and the user most likely has no knowledge of this since most are unaware of compromised credentials and where to find them. Google is using Chrome, which is used ubiquitously by their users to deliver this warning.
“Privacy is an issue, these credentials must be stored somewhere and transmitted to the browser. Any time credentials or PII are stored, it will create a target for cybercriminals that have very complex tools to extract them. The security of these credential that Google has I’m sure will be tested since it’s “password compromised-based,” not the username, meaning the compromised password for that site is still using the compromised credential.”
John Gunn, CMO at OneSpan:
“If Google really wants to help, they should include a Public Service Message reminding everyone to stop using the decades-old and unsafe practice of user name and password. Biometrics and other methods of authentication are far more secure and much easier for users.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.