In a recent update, Google has rolled-out Chrome 79 stable version for its users. This version of Chrome consists of two very important browser security features – Improved password protection and real-time phishing protection.
Malware attacks, data breaches, phishing attacks, are all real-world problems. Fake websites and URL hijacking scams are at their peak especially during the holiday season and convince users to enter their passwords and other sensitive information. With all due diligence, data security is now top priority for the platforms which provide them. Google Chrome has always stressed on built-in safety protections, and now they’re expanding those boundaries.
Compromised Password Warning
Google first introduced password breach warnings as a Password Checkup extension early in the year. Password Checkup compares passwords and usernames of users with Google’s very own database consisting of more than 4 billion compromised credentials known to Google.
According to Google this is how it works:
- Whenever Google discovers a username and password exposed by another company’s data breach, a hashed and encrypted copy of this data is saved on its servers with a secret key known only to Google.
- When a user signs into a website, Chrome sends a hashed copy of the entered username and password to Google, encrypted with a secret key only known to Chrome. Absolutely no one, including Google, can derive username or password from this encrypted copy.
- In order to determine if the username and password has appeared in any breach, Google uses a technique called private set intersection. It involves multiple layers of encryption and compares the encrypted username and password (received from Chrome) with all the encrypted breached usernames and passwords (in Google’s database), without revealing the username and password. Chrome sends a 3-byte SHA256 hash prefix of username to reduce the scale of the data joined from 4 billion records down to 250 records, while still ensuring the anonymity of username.
- If the username and password have been compromised, Chrome notifies this to the respective user only. Users are strongly recommended to change their password.
Real-time Phishing Protection
Google’s Safe Browsing keeps track of the malicious and potentially harmful sites on the web and shares this information with other browsers, to keep the internet more secure. The refresh rate of this list is 30 minutes. It protects close to 4 billion devices on a daily basis against all kinds of security threats, including phishing.
However, some phishing sites dodge the 30-minute window, either by continuous domain switching or by hiding from Google crawlers. But real-time phishing will now inspect the URLs of pages visited by users with Safe Browsing’s servers in real-time. On visiting a website, Chrome checks it against a list stored in the user’s computer that are known to be safe. If the website is not on this safe-list, Chrome then checks the same URL with Google’s database (after dropping any username or password embedded in the URL) to find out whether the site is malicious or not. Google’s analysis has shown that this results in a 30 percent increase in protections by warning users on malicious sites that are brand new.
Additionally, if this check determines that the site is indeed suspicious or malicious, Chrome immediately shows a warning to change your compromised password. In case the Google Account password was used for Google Chrome login and the same was phished, then Chrome also offers to notify Google as an added layer of protection to ensure user account isn’t compromised.