back to article Google Chrome will check for leaked credentials every time you sign in anywhere

A new feature in Google's Chrome browser will warn you if your username and password matches a known combination in a security breach every time you type credentials into any website. This credential check is "gradually rolling out for everyone signed into Chrome" as part of the Safe Browsing option, according to the …

  1. JimmyPage
    Flame

    Is this *another* attempt to smother me in Gmail shit ?

    If so, please, please, please

    Fuck

    Right

    Off

    1. Anonymous Coward
      Anonymous Coward

      If Google put as much effort into it's "AI"

      as it did into bot-scouring forums to drive downvotes, they'd rule the world ....

      To the PP - you need to rewrite your grumble so it uses loads of positive words, while still saying what a steaming pile o'shite it is being dragooned into Googles "Gmail everywhere" programme.

    2. BillG
      WTF?

      Re: Is this *another* attempt to smother me in Gmail shit ?

      I have two gmail accounts I use for non-critical purposes. Gmail is now demanding my mobile phone number or it will not log me in.

      Google and privacy do not go together.

      1. doublelayer Silver badge

        Re: Is this *another* attempt to smother me in Gmail shit ?

        I wholeheartedly agree. However, I don't know of a reliable external email system that hasn't recently gained the desire to have your mobile number for verification (verification, I say. Not advertising or data selling. Stop questioning us, you puny end-user). My main email is through my own mailserver, but I need an external email which runs the accounts for the domain name and mailserver, so if there's a good one out there that isn't likely to start demanding extra details, I'd like to identify it.

        1. andy 28

          Re: Is this *another* attempt to smother me in Gmail shit ?

          zoho? They do free webmail like google, yahoo but without the intrusions. 5Gb, IMAP, etc. I think they do paid options too. No affiliation, just a user

      2. Anonymous Coward
        Anonymous Coward

        Re: Is this *another* attempt to smother me in Gmail shit ?

        get a free pay-as-you-go-sim, enable it, but don't put credit on it.

        bingo.

        1. Teiwaz

          Re: Is this *another* attempt to smother me in Gmail shit ?

          get a free pay-as-you-go-sim, enable it, but don't put credit on it.

          bingo.

          Careful now,

          A certain mobile phone company I've been barely using for at least a decade with little to no hassle from their end has now begun spamming me with warnings that I'm not using it enough and am at risk of loosing my number.

          Ever since they were bought by a bastion of British telefoolery.

          1. Anonymous Coward
            Anonymous Coward

            Re: Is this *another* attempt to smother me in Gmail shit ?

            It's just for registering, then you can bin it.

            1. Kiwi

              Re: Is this *another* attempt to smother me in Gmail shit ?

              It's just for registering, then you can bin it.

              You can't.

              Every now and then, the device and IP number you've been using several times a day, every day, for the last 10 years, will be deemed by "google" to be new and previously unused. They will decide you cannot be logged in till you can verify your account, and to do that they need to send you a text.

              (Now, if you phone gets a number of verification texts every day, will that count as sufficient use?)

              1. FrogsAndChips Silver badge

                Re: will that count as sufficient use?

                "Use" means "outgoing calls", generating revenue for your operator. All low-cost operators that I know of have a clause that you have to make calls at least once every 3 or 6 months or your number gets deactivated.

                1. Kiwi

                  Re: will that count as sufficient use?

                  Here it's typically a year (last I looked), however any unused pre-pay credit could be stolen in as little as a month (think that brand changed that a while back).

                  Sadly gone are the days when you could buy a cheap phone, stick $5 credit on it, and wire it into your car's alarm system to send you an alert/phone you when the alarm was triggered. Well, you still can, but you need to add credit every now and then.

                  Over here they don't care if you use the credit to make calls, as it "disappears" after a while, so then your credit is almost all profit.

                  IIRC there was at least one telco that counted incoming stuff as 'use' and reset their counter to the last inbound/outbound text or call.

    3. N2

      Re: Is this *another* attempt to smother me in Gmail shit ?

      Agreed,

      They can bash it where the sun don't shine.

  2. krf

    Is there a problem here?

    Wow. This is like making friends with the big city mobsters to protect yourself against the pickpockets and grab-and-run thieves.

    1. Efer Brick

      Re: Is there a problem here?

      Guild of Thieves, Cutpurses, Housebreakers and Allied Trades

      https://wiki.lspace.org/mediawiki/Thieves%27_Guild

  3. Zippy´s Sausage Factory

    So... what happens when Google's master key gets compromised?

    Encryption is all very well but wouldn't a one-way hash of an encryption be better? Although that could be cracked if you know the hashing algorithm and want to spend some time cracking them...

    The problem is that if they're stored there is a weakest point. There's always a weakest point.

    The only verifiably 100% guaranteed way to avoid the credentials leaking is not to store them, unfortunately.

    1. JetSetJim
      Mushroom

      > what happens when Google's master key gets compromised?

      That would never happen. Not ever. Really

    2. Anonymous Coward
      Childcatcher

      what happens when Google's master key gets compromised?

      Your end also generates a key and the data is transferred using both keys and only hashes are swapped.

      That is assuming that the system is working as specified publicly and not doing something else entirely. How could we know?

      1. doublelayer Silver badge

        Re: what happens when Google's master key gets compromised?

        The approach they claim to use wouldn't work most of the time. While it works fine if the passwords were originally in plain text, it doesn't work if the hashes were salted at all or used a hashing algorithm other than the one Google's decided upon. Chrome wouldn't know the salt or algorithm to use, meaning the sent data wouldn't be matchable to whatever is in the database. Google has a lot of employees intelligent enough to understand this. Logically, they considered it. My guess is that they made the system work and now are being a little evasive in explaining exactly how it works.

        1. Kiwi

          Re: what happens when Google's master key gets compromised?

          My guess is that they made the system work and now are being a little evasive in explaining exactly how it works.

          Pops a query over to haveibeenpawned.com (or whatever that site is) and asks 'on your behalf'?

          All unsuccessful queries fully logged for future use of course. I mean so that if it gets detected in future they can warn you early, honest!

      2. Kiwi

        Re: what happens when Google's master key gets compromised?

        That is assuming that the system is working as specified publicly and not doing something else entirely. How could we know?

        There's one way I know it couldn't be used in a malicious way...

        <clickey>d e l c h r o m e . e x e<clickey>

        (or in my case, never installed)

    3. Dal90

      > when

      Five Eyes laugh. It'll be decades before those damn Commies figure it out.

  4. Anonymous Coward
    FAIL

    Why Google need an encrypted copy of my credentials anyway?

    Since it sends back a set of credentials matching the hash prefix, the matching of the full credentials hashes can happen locally without ever sending the actual credentials to Google, encrypted or not.

    So the real question is: why Google wants the credentials on its side??

    1. tiggity Silver badge

      Re: Why Google need an encrypted copy of my credentials anyway?

      A hash match is not necessarily a match - hash collisions occur

      1. hmv

        Re: Why Google need an encrypted copy of my credentials anyway?

        Use a better hashing algorithm.

        And in reality hash collisions are so contrived that you're unlikely to generate one with two reasonably sane passwords.

    2. eldakka

      Re: Why Google need an encrypted copy of my credentials anyway?

      Since it sends back a set of credentials matching the hash prefix, the matching of the full credentials hashes can happen locally without ever sending the actual credentials to Google, encrypted or not.

      So the real question is: why Google wants the credentials on its side??

      I don't think you understand (or I misunderstand your point).

      You don't send your credentials for Google to later send back the set of hashes that match the prefix to do the check on your local computer.

      The credentials that Google has are those that have been compromised already. It doesn't get them from you, it gets them from published hacks (scraped from the dark web marketplaces that sell them, or more likely from security researchers who find them on the dark web and publish them).

      Therefore, if in the hashes Google sends back there is a match, it means that those credentials are already out in the wild and in the possession of miscreants.

      1. FrogsAndChips Silver badge

        Re: Why Google need an encrypted copy of my credentials anyway?

        You don't send your credentials

        Yes you do, that's even the first part of the process: "When you type in your credentials, the browser sends a hashed and encrypted copy of the credentials to Google". OK they're encrypted with your own local key, so Google shouldn't be able to read them, but as the OP pointed, why not just send the hash prefix and do the comparison on the hashes only?

        1. eldakka

          Re: Why Google need an encrypted copy of my credentials anyway?

          Interesting, re-reading it you are right:

          2. When you type in your credentials, the browser sends a hashed and encrypted copy of the credentials to Google, where the key used for encryption is private to the user. In addition, it sends a "hash prefix" of the account details, not the full details.

          3.Google searches the breach database for all credentials matching the hash prefix and sends the results back to the browser. These are encrypted with a key known only to Google. In addition, Google encrypts your credentials with this same key – so it is now doubly encrypted.

          What seems even weirder is why does google encrypt the already known compromised credentials? I mean, the whole point of Google having them in its database is because they are already compromised and in the wild, so why would you encrypt that (beyond TLS for when sending/receiving via HTTPS)?

          1. FrogsAndChips Silver badge

            Re: Why Google need an encrypted copy of my credentials anyway?

            Just because the compromised credentials are already in the wild doesn't mean Google shouldn't keep their own copy secure. A leak doesn't give you the right to do whatever you like with private data. What would we say if Google publisehed a few credentials on their homepage everyday?

  5. sabroni Silver badge

    Embrace, extend....

    ...what comes next?

    1. deadlockvictim

      Re: Embrace, extend....

      The meme of 'All your base is belong to us' is probably more appropriate.

      Imagine Eric Schmidt as a sci-fi villain from an '80s Japanese video game and you have your image for the day.

      1. Anonymous Coward
        Anonymous Coward

        "Imagine Eric Schmidt as a sci-fi villain from an '80s Japanese "

        Googlezilla?

        Although today it's more like a Bollywood movie...

      2. eldakka

        Re: Embrace, extend....

        The meme of 'All your base isare belong to us' is probably more appropriate.

        FTFY.

        1. deadlockvictim

          Re: Embrace, extend....

          You are right.

          I realised it too late (i.e. after the 10 minute edit period).

          I hold my head in shame.

    2. Aussie Doc
      Flame

      Re: Embrace, extend....

      ...extinguish?

    3. commonsense

      Re: Embrace, extend....

      ...what comes next?

      Lube up.

  6. Mark #255
    Happy

    Firefox FTW

    The Firefox "Logins & Passwords" item has had a rather nice revamp recently.

    It gives the following warning:

    Passwords were leaked or stolen from this web site since you last updated your login details. Change your password to protect your account. Learn more about this breach

    in a nice yellow box.

  7. Halfmad

    Only a matter of time

    Until Google stops you using inappropriate words and phrases because it doesn't match their whitelist which advertisers have approved.

    1. Anonymous Coward
      Anonymous Coward

      Re: Only a matter of time

      I think Verizon Wireless might already do that. Try incorporating vzwsucks into a password on that site...

      1. NetBlackOps

        Re: Only a matter of time

        Microsoft did the same with a rider one of mine.

  8. M. Poolman
    Holmes

    ...worry here is that sending your credentials to Google ... could ... be a security risk

    See icon

    (ellipses because title too long)

  9. NonSSL-Login
    Big Brother

    Preference

    I would rather not be logged in to google, ever, than gain the benefits of their password breach notifications.

    Good feature for those that are happy for Google to hoover up all their personal data though!

    Hashing and only sending part of the hash is probably the best way they could have done it for speed and security reasons. Saying that, those pesky 3 letter agencies probably have some way to abuse the limited data sent anyway.

  10. RyokuMas
    Facepalm

    No, really...

    This is all about protecting users. Yes, really. Honestly. This is purely altruistic, and there is absolutely no reason for concern in having to log into a Google account...

    Someone tell Google that this would be even more believable if they wrote it on the side of a bus...

  11. Pascal Monett Silver badge
    Stop

    "you have to sign into Chrome"

    Yup, well that's that, then.

    Not gonna happen, ever. Google has enough data on me as it is without me handing it over on a silver platter.

  12. JohnFen

    Once again

    Yet another thing that makes me happy that I don't use Chrome/Chromium.

  13. Anonymous Coward
    Anonymous Coward

    if it smells like a

    "sending your credentials to Google for checking could itself be a security risk" I feel "is" is more accurate that "could"

    "The idea is that your credentials are never sent to Google in a form it can read" yeah, I gotta call bologna on that.

    Dal90 has it right. Governments won't need to hack you, or ask you, or get a subpoena, if they already have access to your credentials with a simple request to the goog.

  14. Tom Paine

    Middle of the road, me

    Chromium is nice, as long as you remember toblg out of every Google service after use (true of all browsers, of course.) I still sometimes go for Firefox, partly for nostalgic reasons (I remember Gecko as a bare HTML renderer, address bar, fwd / back / reload and nothing else. GOD I felt smug to be using it...

    1. Kiwi
      Big Brother

      Re: Middle of the road, me

      Chromium is nice, as long as you remember toblg out of every Google service after use (true of all browsers, of course.)

      "The trick is not to try and bend the spoon - that would be impossible. The trick is to realise, there is no spoon".

      (or in this case, no point in logging out of google's slurpware, better never to log in in the first place (and also realise, there is no service, but you are getting 'serviced' and there sure is a load of bull involved!)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like