Odds are that an online service you’ve used has suffered a data breach sometime in the past few years. Sometimes they’ll send you a message letting you know to change your password once the data breach is discovered. Sometimes they don’t. And sometimes they may not even know.
There’s little you can do to protect yourself from that last type of situation other than enabling multi-factor authentication for every service that supports it. But there are a number of ways to protect yourself against known data breaches.
You could check HaveIBeenPwned regularly for new breaches, or sign up for notifications. You could sign up for a similar services like Firefox Monitor. Or you could install a password manager like 1Password that alerts you to breaches involving your data.
Now there’s another option: Google has released a free Chrome extension called Password Checkup that lets you know when you’re using a compromised username and password with websites you visit using the Chrome web browser.
Here’s how it works: you install the Chrome extension and most of the time you won’t see anything other than a small icon in the corner of your browser. But when you login to a website using compromised data, an alert will pop up suggesting you change your password.
This should work whether you’re using Chrome’s built-in password manager or not.
It’s important to note that you’ll only be notified about known data breaches. Right now Google says it has a list of 4 billion credentials that are known to be unsafe. The company also only lets you know about data that you can do something about such as usernames and passwords. If your phone number or mailing address are leaked, Google won’t tell you.
The company’s decision to release this as a Chrome extension rather than a built-in feature of the browser is also reason #9,831 I really wish Chrome for Android supported extensions.
If you’re worried about the security implications of sending your password data back and forth to Google’s servers, the company says its list of compromised credentials are stored online in an encrypted database and your data is encrypted before it’s sent to Google to check against that database. In other words, Google doesn’t ever actually get to see your password.
You can read more about how Password Checkup works at the Google Security Blog.
Google is introducing Password Checkup on February 5th — which is Safer Internet Day. The company is also unveiling a new security feature called Cross Account Protection. While Google already lets users know if their Google account login details have been compromised, the company is also going to start notifying third-party services that you sign in to using your Google Account.
While that’s a positive step, I think an even better one may be to set up individual usernames and passwords for every service you use instead of logging in with Google, Facebook, or another account. That may be a little less convenient than signing into everything with one account, but it limits the damage that someone can do if they access one of your logins.