Google has just rolled out a new Chrome browser extension that warns you if a username-password combination has been compromised in a data breach.
Called Password Checkup, the extension is available now, although Google warns that it's still a work in progress. Password Checkup compares the credentials you input into any website against a database of four billion known compromised credential sets and lets you know if your username-password combo is no longer good.
So if you sign into Acme.com with the username "email@example.com" and the password "BeepBeep", Password Checkup will send an encrypted version of those credentials over to its database.
If the the firstname.lastname@example.org/BeepBeep combo is among the four billion hacked sets of credentials, you'll get a big red warning that "your password for www.acme.com is no longer safe due to a data breach," and that you should change your password. If not, you'll be reassured that everything is good.
MORE: Best Password Managers
Google told Wired's Lily Hay Newman that its database is not the same as the Have I Been Pwned database of six billion compromised credential sets maintained by Australian security researcher Troy Hunt. Yet there's bound to be some overlap between the two.
There's another big difference: Have I Been Pwned lets you check passwords by themselves, and email addresses by themselves, but never both at the same time. That's because Hunt doesn't want Have I Been Pwned to be used by identity thieves to check whether a specific email address/password combination is valid.
Otherwise, anyone could try to "brute force" Have I Been Pwned by running, say, the 1,000 most commonly used passwords against a list of known or generated email addresses.
Google's Password Checkup does check both credentials at the same time, which makes us a little worried that the browser extension will make unsafe credentials even less safe. (Using it to check your own passwords should be perfectly fine.)
An official Google blog posting says the company "designed Password Checkup to prevent an attacker from abusing Password Checkup to reveal unsafe usernames and passwords."
We haven't had a chance to stress-test Password Checkup to see if those protections against brute-forcing work. But someone else certainly will.
Best Identity Protection Services
Get it. IdentityForce UltraSecure+Credit is the best overall service for both credit monitoring and identity protection. It also protects your account with two-factor authentication.
LifeLock Ultimate Plus
It's worth it. Get LifeLock Ultimate Plus if you're very worried about having your identity stolen and you also need antivirus software. But you can get better credit monitoring for less with IdentityForce UltraSecure+Credit.