[Update: Android too] Google Chrome adds Password Leak Detection to tell you when your password is compromised
The responsibility of keeping accounts secure is generally something a company puts on the shoulders of the user. However, the way passwords are used by the masses have shown that they aren’t as secure as they could be. There are entire industries that have been built around this issue (password managers, U2F keys, etc) and we should actually be moving away from the password system entirely. Google has done some work in this area and continues to push the envelope by adding a Password Leak Detection feature right into the Google Chrome browser.
Some companies have also taken security seriously and warned its users when a compromised password is used. Google seems to want to help this movement by also doing this on the browser level. First reported by Techdows, a bug found in the Chromium Issue Tracker has led us to a commit to the Chromium Gerrit, which shows a toggle is being added to Chrome which will enable or disable this new Password Leak Detection feature. You can try out this new feature right now in latest Chrome 78 Canary build by searching for the word “leak” in the chrome://flags page.
Once enabled, Google Chrome will then show you if the password you enter into a website matches information Google has on public data breaches. This feature will only be available for users who are signed into their Google account, but it can help millions of people. If Google Chrome detects the user entering a compromised password, they will be shown a pop-up prompt that tells the user this password has been found in the public list of unsafe passwords.
Google Chrome will then suggest that you change the password ASAP. Ultimately, it will still be up to the user to fix the issue, but at least they are being informed of the issue.
Update: Android too
The Password Leak Detection feature that was added to Chrome 78 Canary is headed to Android as well. A recent commit is titled “[Android] Add switch for leak detection in settings” and the description reads:
This CL adds a switch in Settings > Passwords through which users can disable the password breach checks. This switch is disabled if the pref is managed.