Getty Images
Google is adding its password checking feature to Android, making the mobile operating system the latest business offering to provide users with an easy way to check if the passcodes they are using have been compromised.
Password checking works by comparing credentials entered into apps against a list of billions of credentials compromised by the countless website violations that have occurred in recent years. In the event that there is a match, users will receive a warning along with a prompt that can direct them to Google’s password management page, which provides a way to check the security of all saved credentials.
Warnings look like this:
Google introduced Password Checkup in the form of a Chrome extension in early 2019. In October of that year, the feature made its way to Google Password Manager, a dashboard that examines web passwords stored in Chrome and synced with a Google account. Two months later, the company added it to Chrome.
Google’s Password Manager makes it easy for users to instantly visit sites with bad passwords by clicking the “Change Password” button that appears next to each compromised or weak password. The password manager is accessible from any browser, but only works when users sync credentials with their Google account password instead of an optional standalone password.
The new password checker was available on Android 9 and later from Tuesday to users of Android Autofill, a feature that automatically adds passwords, addresses, payment details and other information often entered in web and app forms.
The Android autofill framework uses advanced encryption to ensure that passwords and other information are only available to authorized users. Google can only access user credentials when users have 1) already saved a credentials in their Google account and 2) were offered by the Android operating system to save a new credentials and chose to store it in their account to beat.
When a user interacts with a password by filling it in a form or saving it for the first time, Google uses the same encryption that allows the privacy control in Chrome to check if the credentials are part of a list of known compromised passwords. The web application interface only sends passwords that have been cryptographically hashed using the Argon2 function to create a search key encrypted with Elliptic Curve cryptography.
In a post published Tuesday, Google said the implementation ensures that:
- Only an encrypted credential hash leaves the device (the first two bytes of the hash are sent unencrypted to partition the database)
- The server returns a list of encrypted hashes of known breached credentials that share the same prefix
- The actual determination of whether the credentials have been breached is done locally on the user’s device
- The server (Google) cannot access the unencrypted hash of the user’s password and the client (User) cannot access the list of unencrypted hashes of potentially breached credentials
Google has written more about how the implementation works here.
Autofill can be turned on on most Android devices by:
- Open settings
- Tap System> Languages ​​& input> Advanced
- Tap Autofill service
- Tap Google to make sure the setting is on
Separately, Google reminded users Tuesday of two other security features that were added to Android autofill last September. The first is a password generator that automatically chooses a strong and unique password and stores it in users’ Google accounts. The generator can be accessed by long pressing on the password field and selecting Autofill from the popup menu.
Users can also configure Android autofill to require biometric authentication before it adds credentials or payment information to an app or web field. Biometric authentication can be enabled in the Autofill with Google settings.