In an official blogpost written by Kurt Thomas, Security and Anti-Abuse Research Scientist and Adam Dawes, Senior Product Manager, Developer Tools for Identity, Google announced that it was introducing two new updates that will help keep data secure, beyond just Google’s sites and apps: Password Checkup, a Chrome extension that helps protect your accounts from third party data breaches, and a new feature called Cross Account Protection.
Password Checkup
This will help in keeping a Google Account safe by proactively detecting and responding to security threats. For example, Google already automatically resets the password on your Google Account if it may have been exposed in a third party data breach—a security measure that reduces the risk of your account getting hacked by a factor of ten.
But Google wants to provide users with the same data breach protections for your accounts, beyond just Google apps and sites. This is where the new Password Checkup Chrome extension can help. If it detects that a username and password on a site you use is one of over 4 billion credentials that we know have been compromised, the extension will trigger an automatic warning and suggest that you change your password.
Google also built Password Checkup so that no one, including Google, can learn your account details. To do this, Google has developed privacy-protecting techniques with the help of cryptography researchers at both Google and Stanford University. For a more technical description of these innovations, check out our security blog post.
This is the first version of the Password Checkup, and Google said that it will be refining this in the coming months. One can take advantage of these new protections right away by installing the extension.
In the rare case that an attacker is able to find a way into a Google Account, the firm has built useful tools to help you quickly get back to safety. Unfortunately, these protections haven’t extended to the apps that you sign into with Google Sign In. Cross Account Protection helps address this challenge. When apps and sites have implemented it, Google is able to send information about security events—like an account hijacking, for instance—to them so they can protect you, too.
Google has created Cross Account Protection by working closely with other major technology companies, like Adobe, and the standards community at the Internet Engineering Task Force (IETF) and OpenID Foundation to make this easy for all apps to implement. For app developers using Firebase or Google Cloud Identity for Customers & Partners, it is included by default.