We’re always working to make sure your data is protected, whether you’re using Google products or checking out your favorite websites and apps.
Today, we’re introducing two new updates that will help keep your data secure, beyond just Google’s sites and apps: Password Checkup, a Chrome extension that helps protect your accounts from third party data breaches, and a new feature called Cross Account Protection.
Password Checkup
We help keep your Google Account safe by proactively detecting and responding to security threats. For example, we already automatically reset the password on your Google Account if it may have been exposed in a third party data breach—a security measure that reduces the risk of your account getting hacked by a factor of ten.
But we want to provide you with the same data breach protections for your accounts, beyond just Google apps and sites. This is where the new Password Checkup Chrome extension can help. If we detect that a username and password on a site you use is one of over 4 billion credentials that we know have been compromised, the extension will trigger an automatic warning and suggest that you change your password.
We built Password Checkup so that no one, including Google, can learn your account details. To do this, we developed privacy-protecting techniques with the help of cryptography researchers at both Google and Stanford University. For a more technical description of these innovations, check out our security blog post.
This is our first version of the Password Checkup, and we’ll be refining in the coming months. You can take advantage of these new protections right away by installing the extension.
Cross Account Protection
In the rare case that an attacker is able to find a way into your Google Account, we’ve built useful tools to help you quickly get back to safety. Unfortunately, these protections haven’t extended to the apps that you sign into with Google Sign In.
Cross Account Protection helps address this challenge. When apps and sites have implemented it, we’re able to send information about security events—like an account hijacking, for instance—to them so they can protect you, too.
We’ve designed the security events to be extremely limited to protect your privacy:
>>We only share the fact that the security event happened.
>>We only share basic information about the event, like whether your account was hijacked, or if we forced you to log back in because of suspicious activity.
>>We only share information with apps where you have logged in with Google.
We created Cross Account Protection by working closely with other major technology companies, like Adobe, and the standards community at the Internet Engineering Task Force (IETF) and OpenID Foundation to make this easy for all apps to implement.
For app developers using Firebase or Google Cloud Identity for Customers & Partners, it is included by default. We’re getting this effort off the ground now, and developers can get started today to improve security for everyone.
With technologies like Password Checkup and Cross Account Protection, we're continuing to improve the security of our users across the internet, not just on Google. We'll never stop improving our defenses to keep you safe online.
By Kurt Thomas, Security and Anti-Abuse Research Scientist and Adam Dawes, Senior Product Manager, Developer Tools for Identity