Google is adding its password checking feature to Android, making the mobile operating system the latest company offering that allows users to easily check if the passcodes they are using have been compromised.
Password checking works by checking the credentials entered into apps against a list of billions of credentials compromised by the countless website breaches that have occurred over the past few years. If there is a match, users will receive a warning, along with a prompt that can lead them to Google’s password manager page, which provides a way to verify the security of all saved credentials.
Alerts look like this:
Google introduced Password Checkup in the form of a Chrome extension in early 2019. In October of that year, the feature made its way to the Google Password Manager, a dashboard that examines web passwords stored in Chrome and synced with a Google account. Two months later, the company added it to Chrome.
Google’s Password Manager makes it easy for users to directly visit sites with bad passwords by clicking the “Change Password” button that appears next to any compromised or weak password. The password manager can be accessed from any browser, but only works when users sync their credentials with their Google account password, rather than an optional standalone password.
The new password checker was available Tuesday on Android 9 and above for Android AutoFill users, a feature that automatically adds passwords, addresses, payment information, and other information often entered into web and app forms.
The Android autofill framework uses advanced encryption to ensure that passwords and other information are only available to authorized users. Google can only access user credentials when users 1) have already saved a credential to their Google account and 2) have been offered by the Android operating system to save a new credential and have chosen to save it to their account .
When a user enters a password by filling in a form or saving it for the first time, Google uses the same encryption that enables the Privacy Check in Chrome to verify that the credentials are part of a list of known hacked passwords. The web application interface only sends passwords that have been cryptographically hashed using the Argon2 function to create a search key encrypted with Elliptic Curve cryptography.
In a post published Tuesday, Google said the implementation will ensure that:
- Only an encrypted hash of the credential leaves the device (the first two bytes of the hash are sent unencrypted to partition the database)
- The server returns a list of encrypted hashes of known compromised credentials that share the same prefix
- The actual determination of whether the credentials have been breached is done locally on the user’s device
- The server (Google) cannot access the unencrypted hash of the user’s password and the client (user) cannot access the list of unencrypted hashes of potentially compromised credentials
Google has written more about how the implementation works here.
On most Android devices, autofill can be turned on by:
- Open Settings
- Tap System > Languages & Input > Advanced
- Tap Autofill Service
- Tap Google to check if the setting is enabled
Separately, on Tuesday, Google reminded users of two other security features that were added to Android autofill last September. The first is a password generator that automatically chooses a strong and unique password and stores it in users’ Google accounts. The generator can be accessed by long pressing the password field and selecting AutoFill from the popup menu.
Users can also configure Android autofill to require biometric authentication before adding credentials or payment information to an app or web field. Biometric authentication can be enabled in the Google AutoFill settings.