Back in 2019, Google introduced an extension that warned about compromised credentials, and it later became a native Chrome feature. Password Checkup is now being integrated into Android’s “Autofill with Google” system when signing into third-party apps.
Autofill with Google works to simplify the login process after installing a previously used app, usually when setting up a new device. During sign-in, Password Checkup will see if the current credential being entered has previously leaked. In those instances, a “Change your password” message appears:
A data breach on a site or app exposed your password. Google recommends changing your password on [App] now.
Users can open the full Password Manager page of usernames they’ve chosen to save with Google to run a full review. This feature works in a privacy-preserving manner that does not reveal personal information to Google. At a high level:
- Only an encrypted hash of the credential leaves the device (the first two bytes of the hash are sent unencrypted to partition the database).
- The server returns a list of encrypted hashes of known breached credentials that share the same prefix.
- The actual determination of whether the credential has been breached happens locally on the user’s device.
- The server (Google) does not have access to the unencrypted hash of the user’s password, and the client (user) does not have access to the list of unencrypted hashes of potentially breached credentials.
Password Checkup for Autofill with Google (Settings > System > Languages & input > Advanced > Autofill service) is available on Android 9 and later. Other Android features coming this spring include:
- Google Maps dark theme officially announced, coming soon to Android
- Google is bringing games to Android Auto, and no, it’s not Stadia
- Google Assistant lockscreen commands are now accompanied by glanceable cards
- Android TalkBack updated with new gestures, customization, more
Author: Abner Li