Google Chrome Now Fixes Your Compromised Passwords

Posted on May 18, 2021 by Paul Thurrott in Google Chrome, Android with 18 Comments

Google Chrome is expanding on the web browser’s password safety features by automatically fixing compromised passwords for you.

“Starting today, whenever Chrome detects a breach, it can fix any compromised passwords quickly, and safely,” Google’s Patrick Nepper writes. “Going forward, Chrome will help you change your passwords with a single tap.”

According to Google, whenever Chrome finds a password that may have been compromised, the Google Assistant will display a “Change password” button. When you tap this button, Chrome will not only navigate to the site, but also go through the entire process of changing your password for you. This process apparently works only on “supported” websites, but it’s not clear what that means: But Google says that if a site isn’t supported yet, Chrome’s password manager can always help you create strong and unique passwords for any account.

The new feature is based on Google Duplex, which uses Google Assistant to help users complete tasks on the web, like buying movie tickets, ordering food, and checking in to flights.

Automated password changes are rolling out gradually in Chrome on Android, Google says, and it’s available in the U.S. only for now. The feature will become available on more sites and more countries in the coming months. (And I assume it will come to other platforms as well.)

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (18)

18 responses to “Google Chrome Now Fixes Your Compromised Passwords”

  1. lvthunder

    The wording here is all confusing to see. When it says automatically fixing compromised passwords to me that means it does it without any input from you. But it sounds like that's not what's happening.

    • wright_is

      You click a button to say, yes, go ahead and change the compromised password for me, and it logs in using your old password, goes to the change password page, enters your old password, creates a new password and enters it (twice) and "clicks" ok. It then stores the changed password in its password store.

      So, yes, you have to confirm that the password should be changed, but the actual process should be fully automatic.

  2. wright_is

    Good luck with the COVID testing site here, the local chemist set-up the accounts for my wife and I, set the password to "12345678" and there was no option to change the password.

    I contacted the platform, the password was set by the chemist doing the test, not the platform itself, but WTF is a new platform in 2021 doing, accepting something like that as a password in the first place?!?!

    In the end, I did manage to set a new password by clicking on the "forgot password" link... But it is very hard to forget "12345678"!

  3. scovious

    Do I want the world's largest advertising company to choose my passwords? I think not.

    • Paul Thurrott

      I think the right way to look about this is that it's a net win for the world: The non-technical/overly-trusting will now be better protected and those who know what they're doing can continue to use better browsers (Edge) and/or third-party or other password managers.
    • vim fuego

      Guess you didn't watch the keynote where privacy was discussed in depth.

      For the lazy/stupid;

      "We never sell your personal information to anyone"

      • Paul Thurrott

        Also for the lazy/stupid, you can't trust anything Google does to protect your privacy. This company earns the vast majority of its money selling your personal information to advertisers. This is like the "ad blocker" Google built-in to Chrome. Hand-waving.
  4. darkgrayknight

    This really does just raise more questions. Which websites will this work with? The ones that are already easy to work with, most likely. The troublesome ones will be even more troublesome with Google trying to do some of it (the more likely scenario). I'll stick with Edge and Brave.

  5. red.radar

    How does google know your password is compromised? Are they decrypting the database to compare to known list of compromised credentials?

    if yes isn’t that a man in the middle?

    not certain I feel safe knowing that google has a plain text version of my password to process even if it’s for my better…

    • wright_is

      They use the database from the website, run by security researcher Troy Hunt. It contains a list of all the public data breaches and the usernames (and partially the passwords) that have been ex-filtrated in the attacks on those sites.

      If you have an account with a p4wned site and/or your password for that site appears in the list, it will offer to change the password for you. To do a "full service", it should check your leaked passwords against your local password cache to see if you have used that password anywhere else as well and offer to change those.

      All the information (the compromised site, your email address and the password used) are in the public domain and available to anybody with enough knowledge to go and look up. There is no "magic" here.

      In Chrome, if you have chosen to use it to store your passwords, it has full access to those passwords. It has to, in order to be able to offer the username and password, when you log onto a site.

      There is nothing fishy going on. They are just offering a service using public domain information about your accounts and your locally stored passwords... And, if you choose account synchronisation across devices, then that password store is copied to Google's servers, but that is your choice.

      If you are that paranoid about this service, then you shouldn't be using Google Chrome and you certainly shouldn't be letting it save your passwords for you. Use a local password manager (like KeePass) or a dedicated password management system (like 1Password).

    • matthiasb

      No, it creates a hash (a scrambled version) of the password, and uses a subset of that to fetch and compare against a database of known compromised passwords. It's completely secure, and does not divulge your actual passwords to any server.

      Also, your password might appear in the compromised list if someone else used exactly the same password, so it doesn't necessarily mean any of your accounts have been compromised.

    • bluvg

      Pretty sure they're just monitoring breaches in general (Home Depot, etc.), not whether specific accounts were breached.

    • lvthunder

      Then you shouldn't be using a Google browser. The browser sees the password going out anyways.

      • red.radar

        I understand that, but there was this trust that they weren’t looking.

        Now they are looking and using it as data for processing. It’s one thing when it was we can see but it’s our policy to protect your privacy and look the other way. You still had control of the data but there was someone who could look through the window persay. Now google is pulling your precious data into their house and doing something with it that they say is just for your protection.

        I think they crossed a line here that shouldn’t be crossed. If they do it then others will follow and i am more worried about the next guy who isn’t being watched as heavily as Google.

      • bluvg

        You're right, there is an implicit trust of any application into which you're typing credentials. Google is one thing, although I'd personally be much more concerned about extensions.

  6. Chris_Kez

    I wonder if this will work any differently or better than the similar feature offered by LastPass.

  7. leilabd

    I think the problem with changing passwords automatically is that there is no generally accepted and supported way to do this. Every web site is different. "Supported sites" are probably those that are big enough and have enough users for it to be worth hand-crafting a solution for that site. Even those that publish an API to do it tend to have their own API.

    I think I heard/read somewhere that work was being done to develop a common password changing API that sites could support but I don't know whether it ever happened.