In light of the news that Google has launched an extension, “Password Checkup”, that will show a warning when it detects a password that has been exposed online, IT security experts commented below.
“This is an excellent way to remind many people about their possibly weak or compromised passwords that need to be updated. It would be an incredible feat to have not had one of your passwords stolen in a data breach in recent years, so hopefully Google’s new tool will be a way of highlighting this and reminding you to change it.
For those who might feel uncomfortable checking their passwords with such a tool, Google has reassured that it has all the necessary security in place. Furthermore, if you don’t feel confident putting in your passwords into this new extension, after all the recent new breaches there’s no better time for users to update all their passwords anyway.”
“While I applaud Google for taking steps to keep people aware of breached passwords, this is not an “easy” button to better security. Users have to leverage password managers to ensure strong unique passwords are used for all online sites. Credential stuffing is a more effective hack if you reuse passwords for more than one site. The Password Checkup tool should be used in conjunction with a password management tool to be totally effective.”
This is a great move from Google because it can strengthen the security posture of millions of Google Chrome users. “Credential Checking” attacks, which exploit stolen credentials available on the dark web, have increased in volume and sophistication. Thousands of enterprises and literally billions of end-users are suffering because of this problem. Efforts by Google and others to warn users about their credentials will help put a spotlight on a big problem the industry faces at the moment.
“Compromised credentials are the basis for a threat actor to perform network infiltration, data exfiltration, spoofing, account takeover, stolen PII, and various other malicious activities that can create huge risks for businesses and individuals. Most Internet users (consumers) do not have even a basic knowledge of what a compromised credential is, or the ramifications of having their credentials stolen.
“Most likely Google is obtaining these credentials from dumps that are readily available and most likely have been for sale or trade in the underground economy. The real challenge of mitigating risk with regard to compromised credentials is to obtain the list from the threat actor before it is available for sale or on dump sites that are public. Most compromised credential sites only deliver those credentials that are already available. However, there is value into that since the credential may not be leveraged by cybercriminals…yet, and the user most likely has no knowledge of this since most are unaware of compromised credentials and where to find them. Google is using Chrome, which is used ubiquitously by their users to deliver this warning.
“Privacy is an issue, these credentials must be stored somewhere and transmitted to the browser. Any time credentials or PII are stored, it will create a target for cybercriminals that have very complex tools to extract them. The security of these credential that Google has I’m sure will be tested since it’s “password compromised-based,” not the username, meaning the compromised password for that site is still using the compromised credential.”
“If Google really wants to help, they should include a Public Service Message reminding everyone to stop using the decades-old and unsafe practice of user name and password. Biometrics and other methods of authentication are far more secure and much easier for users.”
ISBuzz Team embodies the collaborative efforts of the dedicated staff at Information Security Buzz, converging a wide range of skills and viewpoints to present a unified, engaging voice in the information security realm. This entity isn't tied to a single individual; instead, it's a dynamic embodiment of a team diligently working behind the scenes to keep you updated and secure. When you read a post from ISBuzz Team, you're receiving the most relevant and actionable insights, curated and crafted by professionals tuned in to the pulse of the cybersecurity world. ISBuzz Team - your reliable compass in the fast-evolving landscape of information security
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.