Google expands password and phishing protection features in Chrome 79
Google Chrome 79 is rolling out in the stable channel on all platforms this week, and as always, there are loads of new browser features. Some of the most important new features are privacy and security-related. Here’s a highlight of what’s new.
Better Password Protection in Google Chrome
Back in February, Google launched the Password Checkup Chrome extension. This extension warned you when any of your usernames or passwords showed up in a data breach. In October, Google integrated this Password Checkup into the Google Account, making it accessible from passwords.google.com. Now, Chrome 79 is integrating this feature. It can be controlled in the “Sync and Google Services” section of Chrome’s Settings.
Here’s how it works, according to Google:
- Google maintains a database consisting of hashed copies of usernames and passwords exposed in data breaches. The data is encrypted with a secret key known only to Google.
- If you sign in to any website, Chrome sends a hashed copy of your entered username and password to Google. The data is encrypted with a secret key known only to Chrome, so no one – including Google – can derive your username or password.
- Google uses a technique called private set intersection with blinding to compare your hashed and encrypted username and password against their database – all without revealing any information about your or any other user’s login information.
- Only the user is notified if their username and password are compromised.
Real-time phishing protection
Google’s Safe Browsing service warns users if they’re visiting an unsafe website by checking a partial URL fingerprint (the first 32-bits of a SHA-256 hash) against a local blocklist updated every 30 minutes. Google never sees the full URL of the site you visit this way, and for the most part, they’re able to keep up with the thousands of phishing websites on the web. However, some phishing sites switch domains very quickly or hide from Google’s web crawlers, resulting in them slipping under Safe Browsing’s 30-minute refresh window.
In response, Google is enabling real-time phishing protection in Chrome 79. Now, Chrome will anonymously check the URL of websites you visit that aren’t on its safe-list (a local list of thousands of popular websites known to be safe). Google says this new real-time phishing protection has resulted in a 30% increase in protection as users are now warned about newly discovered malicious sites that previously slipped under Safe Browsing’s 30-minute refresh window. This feature can be controlled by the user with the “Make searches and browsing better” setting.
Expanded predictive phishing protection
Back in 2017, Google launched predictive phishing predictions to warn users if they enter their Google Account password into suspected phishing sites. Until now, this protection was only enabled for users who turned on sync in Chrome. Now, this protection is expanding to work for everyone signed in to Chrome – with or without sync enabled. Furthermore, this feature now works with all passwords stored in Chrome’s password manager – not just your Google Account password.
Visual update to Chrome profiles
If you have multiple Google Accounts signed in to Chrome, you’ll see a new visual representation of the profile you’re currently using. The profile menu itself has also received a new look. Both of these UI changes were done for the sake of ensuring you know you’re saving your passwords to the right profile.
Many of these new features were developed at the Google Safety Engineering Center (GSEC), a hub of privacy and security product engineers in Munich. These newly announced features will be rolled out gradually with the latest Chrome release.