Data breaches that compromise people's usernames and passwords have become so common, and used in crime for so long, that millions of stolen credential pairs have actually become practically worthless to criminals, circulating online for free. And that doesn't even begin to scratch the surface of the more current credentials sold on the black market. All of this means that it's increasingly difficult to keep track of which of your passwords you need to change. So Google has devised a Chrome extension to watch your back.

On Tuesday, the company is announcing "Password Checkup," which runs in Chrome all the time as you go about your daily web browsing, and checks passwords you enter on all sites against a database of known compromised passwords. Password Checkup isn't a password manager, a gauge of how weak or strong your passwords are, or a source of advice. It just sits quietly until it detects a credential pair that is known to be exposed, and then it shows a warning. That's it.

The tool is unobtrusive by design, so you'll actually pay attention to it when it notices genuine risks. If you've been feeling overwhelmed by all the news of data breaches and cybercrime over the past few years, Password Checkup is meant as an easy way to take back some control.

Watchdog

Google accounts tend to be particularly sensitive, because they are often the key to a person's email address. So the company has already been grappling with notifying users when their Google credentials are compromised—not because Google was hacked but because people reuse passwords on multiple sites.

Google relies on a database of compromised credentials that totals about four billion unique usernames and passwords, gathered from troves its security teams access online as they go about their larger threat detection research for the company. Google says it hasn't ever bought stolen credentials, and that it doesn't currently collaborate with other security-minded aggregators like Have I Been Pwned, a service maintained by the security researcher Troy Hunt. The company does accept donations of stolen credentials from researchers, though.

The company has already uses that stash to force Google users to abandon exposed passwords. And other Google divisions, like Nest, are working on features to prevent exposed password reuse, because of problems with account takeovers.

"We've reset something like 110 million passwords on Google accounts because of massive breaches and other data exposures," says Elie Bursztein, who leads the anti-abuse research team at Google. "The idea is, can we have a way to do it everywhere? It works in the background and then after 10 seconds you may get a warning that says 'hey, this is part of a data breach, you should consider changing your password'. We want it to be 100 percent if we show it to you you have to change it."

Google's database is always growing, but appears to have some holes. When I tested Password Checkup with a login that I know has been compromised in breaches (so I have one account I haven't updated yet, what are you gonna do) it didn't flag it.

Bursztein and Kurt Thomas, a Google security and anti-abuse research scientist note that they've skewed toward zero false positives so they aren't accidentally giving users warnings based on similar, but slightly different passwords or the same password that was compromised for a different person, but not you. And they emphasize that while the company is releasing Password Checkup as a regular Chrome extension for people to start using, it's still an experiment and isn't necessarily finalized.

Check Mate

The researchers are anticipating controversy—or "a conversation" as they often call it— about a crucial question that you may have by now, too: If Password Checkup is running quietly on Chrome all the time with the express goal of monitoring your login credentials, isn't Google going to end up with a terrifying trove of all your passwords? And if so, couldn't attackers find a way to compromise Password Checkup to grab tons of current credentials, track you, or infiltrate Google's database of stolen data?