Google is rolling out its handy Password Checkup tool to a wider audience because let’s be honest: How good is your password protocol? If you share your login credentials, re-use passwords across accounts (whether or not you perceive those accounts as low-risk), or use easy-to-guess passwords for any of your accounts, the answer is: probably not as strong as you think.
Common password sins, the same ones that can allow even unsophisticated bad actors to access your accounts, are the reasons Google is this week introducing a wide rollout of the popular Chrome extension it launched back in February. Staying on top of your account security can be a chore—who has the time to regularly check Have I Been Pwned for potential vulnerabilities?—and Google is hoping that taking the guesswork out of strong password protection will help improve the security of its users.
Password Checkup works like this: When you sign into an account—say, your bank or Netflix—the extension cross-checks those credentials with more than 4 billion usernames and passwords that have been exposed in a data breach (which are, unfortunately, exceedingly common), according to Google. If it finds that those login credentials have been exposed, or if they are particularly weak or have been re-used in your other accounts, it’ll flag a notice to change your password. Beginning Wednesday, and as part of National Cybersecurity Awareness Month, Password Checkup is launching in the Password Manager section of users’ Google Accounts to let them run a scan on their credentials with one click—no need to download the extension at all. Later this year, it’ll get baked right into Chrome, allowing potentially problematic credentials to be flagged on the fly.
Ahead of its wider rollout, Google partnered with Harris Poll to dig into the common password security habits of 3,419 U.S. adults that put those users at risk. What Google found were some “depressing” and “distressing” facts about password protocols among Americans, Mark Risher, director of account security at Google, said last week during a press event at the company’s New York City headquarters. For example, nearly one in four Americans have used passwords frequently flagged as common and weak (e.g. “111111,” “123456,” “Iloveyou,” or any other easy-to-remember variation).
Sixty-six percent of respondents reported using the same password for more than one account, the Harris survey found, a habit that can potentially compromise multiple accounts simultaneously in the event that one is exposed in a breach. Only 37 percent of users used multi-factor authentication, the poll found, and a mere 15 percent used a password manager—two security measures that are imperative to good password hygiene.
Risher said Americans tend to categorize their credentials into three primary tiers: highly sensitive (e.g. bank accounts), medium (like email), and non-important (Netflix, Seamless, etc.). But Risher added we kind of suck at this categorization—our words, not his—and end up reusing passwords when we shouldn’t. In a perfect world, every account would have a long, complex password that a user can neither remember nor even needs to know because a password manager does it for them, and that password would only need to be changed in the event of a security breach, as per recommendations by the National Institute of Standards and Technology. But because good security is often overlooked in favor of convenience, as the Harris survey suggests and we all know deep in our hearts to be true, Google is attempting to intervene.
Ultimately, Google said it’s trying to curb bad habits as well as misinformation around password protocols, such as the misconception that physically writing down a password is bad practice. (In fact, as we saw recently, writing passwords down and storing them safely can be quite effective in protecting against bad actors.) Sharing credentials for accounts perceived as low-risk, like Netflix or Hulu, is also a fuck-up, particularly in the event that the password for such an account is similar to or the same as that of another account. (According to the Harris Poll findings, 27 percent of Americans have attempted to guess someone else’s password, and of that number, 17 percent have done so successfully.)
Asked by Gizmodo how Google pulls together its database of more than 4 billion unique password pairs, Risher said that most of that information is collected by crawling the open web and its own search engine. But like, say, your credit card company, Google also crawls the dark web to hunt for exposed usernames and passwords, according to Risher.
This tool is meant to surface recurring, problematic, or at-risk password behaviors for people who may not already be taking necessary measures to protect their account data. (Get yourself a dang password manager, already!) But it may still be useful for the security buff already taking the necessary steps to protect their information. If, for example, login credentials for an old or forgotten account were breached and you somehow missed it, Google’s Password Checkup may remind you to update the username and password for that account. To boot, it’ll also work in tandem with password managers you may already use.
To access Password Checkup, just head to your Google Account, navigate to the Security screen, and then to your Password Manager (at the bottom). Or, just head here.