Getty Images
Google is adding its password verification feature to Android, making the mobile operating system the company’s latest offering to give users an easy way to check whether the passwords they are using have been compromised.
Password Checkup works by verifying credentials entered into applications against a list of billions of credentials compromised in the countless breaches of websites that have occurred in recent years. If there is a match, users receive an alert, along with a prompt that can take them to the Google password manager page, which offers a way to review the security of all saved credentials.
The alerts look like this:
Google launched Password Check-up in early 2019, in the form of a Chrome extension. In October of that year, the feature arrived at Google Password Manager, a panel that examines web passwords saved in Chrome that are synchronized with a Google account. Two months later, the company added it to Chrome.
Google Password Manager makes it easy for users to visit websites directly using incorrect passwords by clicking the “Change password” button displayed next to each compromised or weak password. The password manager can be accessed from any browser, but it works only when users sync their credentials using their Google account password, instead of an optional standalone password.
The new password check was available on Tuesday on Android 9 and higher for users to fill in automatically on Android, a feature that automatically adds passwords, addresses, payment details and other information commonly entered into web and app forms.
Android’s autocomplete framework uses advanced encryption to ensure that passwords and other information are available only to authorized users. Google has access to user credentials only when users 1) have already saved a credential to their Google account and 2) have been offered to save a new credential via the Android operating system and have chosen to save it to their account.
When a user interacts with a password by filling it out on a form or saving it for the first time, Google uses the same encryption that enables Chrome Privacy Check-up to verify that the credential is part of a compromised password list. known. The web application interface only sends cryptographically hashed passwords using the Argon2 function to create a search key that is encrypted with Elliptical Curve encryption.
In a post published on Tuesday, Google said the implementation ensures that:
- Only one encrypted hash of the credential leaves the device (the first two bytes of the hash are sent unencrypted to partition the database)
- The server returns a list of encrypted hashes of known violated credentials that share the same prefix
- The actual determination of whether the credential has been breached occurs locally on the user’s device
- The server (Google) does not have access to the user’s unencrypted password hash and the client (user) does not have access to the unencrypted hashes list of potentially violated credentials
Google wrote more about how the implementation works here.
On most Android devices, autocomplete can be enabled by:
- Opening settings
- Touch System> Languages and input> Advanced
- Tap the autocomplete service
- Touch Google to check if the setting is enabled
Separately, Google on Tuesday reminded users of two other security features added to Android autocomplete last September. The first is a password generator that will automatically choose a strong and unique password and save it to users’ Google accounts. The generator can be accessed by long pressing on the password field and selecting Autofill in the pop-up menu.
Users can also configure Android autocomplete to require biometric authentication before adding credentials or payment information to an application or web field. Biometric authentication can be enabled in the autocomplete settings with Google.