Odds are that an online service you’ve used has suffered a data breach sometime in the past few years. Sometimes they’ll send you a message letting you know to change your password once the data breach is discovered. Sometimes they don’t. And sometimes they may not even know.

There’s little you can do to protect yourself from that last type of situation other than enabling multi-factor authentication for every service that supports it. But there are a number of ways to protect yourself against known data breaches.

You could check HaveIBeenPwned regularly for new breaches, or sign up for notifications. You could sign up for a similar services like Firefox Monitor. Or you could install a password manager like 1Password that alerts you to breaches involving your data.

Now there’s another option: Google has released a free Chrome extension called Password Checkup that lets you know when you’re using a compromised username and password with websites you visit using the Chrome web browser.

Here’s how it works: you install the Chrome extension and most of the time you won’t see anything other than a small icon in the corner of your browser. But when you login to a website using compromised data, an alert will pop up suggesting you change your password.

This should work whether you’re using Chrome’s built-in password manager or not.

It’s important to note that you’ll only be notified about known data breaches. Right now Google says it has a list of 4 billion credentials that are known to be unsafe. The company also only lets you know about data that you can do something about such as usernames and passwords. If your phone number or mailing address are leaked, Google won’t tell you.

The company’s decision to release this as a Chrome extension rather than a built-in feature of the browser is also reason #9,831 I really wish Chrome for Android supported extensions.

If you’re worried about the security implications of sending your password data back and forth to Google’s servers, the company says its list of compromised credentials are stored online in an encrypted database and your data is encrypted before it’s sent to Google to check against that database. In other words, Google doesn’t ever actually get to see your password.

You can read more about how Password Checkup works at the Google Security Blog.

Google is introducing Password Checkup on February 5th — which is Safer Internet Day.  The company is also unveiling a new security feature called Cross Account Protection. While Google already lets users know if their Google account login details have been compromised, the company is also going to start notifying third-party services that you sign in to using your Google Account.

While that’s a positive step, I think an even better one may be to set up individual usernames and passwords for every service you use instead of logging in with Google, Facebook, or another account. That may be a little less convenient than signing into everything with one account, but it limits the damage that someone can do if they access one of your logins.


Support Liliputing

Liliputing's primary sources of revenue are advertising and affiliate links (if you click the "Shop" button at the top of the page and buy something on Amazon, for example, we'll get a small commission).

But there are several ways you can support the site directly even if you're using an ad blocker* and hate online shopping.

Contribute to our Patreon campaign


Contribute via PayPal

* If you are using an ad blocker like uBlock Origin and seeing a pop-up message at the bottom of the screen, we have a guide that may help you disable it.

Subscribe to Liliputing via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 9,453 other subscribers

3 replies on “Google’s Password Checkup lets you know if your login data has been compromised (Chrome extension)”

  1. All these “Give us your beautiful and unique snowflake password and we will tell you if its on any lists…..” sites really make me wonder how many are just farming all input phrases and adding them to other lists.

    1. It is not clear to me whether the extension is actually using your password to make the determination, or if it is merely reporting to you that the particular site you are logging into has been the subject of a data breach, or perhaps only checking your username.

  2. Thank you for answering the security question. I’m not sure that completely alleviates my concerns, but perhaps for certain computers . . ..

Comments are closed.