Lawrence Abrams* says Google is adding a new feature that will alert users if their usernames and passwords were compromised when they log into a site.
Image: Hebi B
Google is adding a built-in data breach notification service to the Chrome browser that will alert users when they are logging into sites with credentials that have been exposed by breaches.
With the constant leaking of account credentials from data breaches and the rampant password reuse commonly seen among users, data breach notification services were created to alert users when their email addresses were included in a data breach.
One of the more popular services is Have I Been Pwned and Mozilla partnered with them to launch a Firefox Monitor service that is being integrated into the Firefox browser.
Not to be outdone, Google also recently launched a new data breach service through their Chrome Password Checkup browser extension, which when installed would alert users if their usernames and passwords were compromised when they log into a site.
Through the use of the Password Checkup extension, Google conducted a study that estimates 1.5 per cent of all logins have been compromised in data breaches.
This study also showed that 26 per cent of users who were shown a data breach notification changed their password.
Chrome to get built-in data breach notification
As this study showed that providing notifications of compromised login credentials was beneficial to users, Google is now building this support directly into the Chrome browser.
While this new “Password protection” feature is not fully developed yet, Google Chrome bug posts give us some insight into how the feature will work.
When the password protection feature is enabled, a new option will appear in the Google Chrome password manager that allows you to toggle on and off the compromised login detection feature.
For this feature to work, a user must first be logged into the browser.
Once logged in, when the user successfully logs into a site with credentials that have been seen in multiple data breaches, Chrome will display the following “Data breach reported” alert.
It is not currently known what the “Check passwords” button will do, but it may bring the user to a page describing the breach and recommending a stronger password.
For enterprise users, Google will be adding a new policy titled “PasswordLeakDetectionEnabled” that will allow administrators to disable the password protection feature in Chrome.
Enabling the password protection feature
While this feature is still being developed, some of the user interface elements are in place in the Chrome 78 Canary build behind a flag.
To enable the Password Leak feature, you can go to chrome://flags and search for leak.
When the “Password Leak Detection” flag is shown, set it to Enabled and relaunch the browser when prompted.
Once Chrome has restarted, you will see the new feature under the browser’s password manager.
* Lawrence Abrams is the creator and owner of BleepingComputer.com. He tweets at @LawrenceAbrams.
This article first appeared at www.bleepingcomputer.com.
