Googles password extension check may soon be built into chrome
At the beginning of this year, the internet giant Google created a "password checkup" tool, which helps us in revelling if our passwords are open to hackers in any online data breach. According to the sources, now the web giant is planning to integrate the extension directly into the browser. It doesn't seem that it is perfect as there are some significant flaws.
The first flaw is that it still needs the express permission by the customer as it is an opt-in tool that means the person has to seek out activities for the password security which most of the customers don’t like to do.
And the second one is that like most of the android or iOS browsers, Google chrome for Android or iOS doesn't have support for the extensions.
According to the source, "Chromium Bug Tracker", the developers of Google are now planning to add this extension directly into the browser. The codes will be changed, but the documents will always be private. The expansion will work in such a way that the usernames as well as the passwords will be encrypted during the checkup and will respond in an encrypted version of leaked matching usernames and passwords. The information is never shared with anyone as well as Google also.
For those who don’t want to use the extension, they can disable the process for the password checkup features. Mainly the feature is made for the enterprise customers but then the decision is made that this feature will be available for all. Moreover, inserting the password checkup tool directly into the chrome browser will also give access to the passwords which are synchronized to your Google account. The passwords are always safe with your Google account furthermore the password checkup service will be able to use Google servers to check faster if any of the data is breached.
Google is trying to build the password checkup service into the chrome browser in version 78, which might release in fall October. But there are some bugs for which the tagged service is not perfect for now. We will see this service very soon in the chrome developer and canary versions. This feature will not require users to find and install any extension as the service is installed by default. The service can also be disabled as per the user preference.
As the password checkup service relies on a person’s confidential information, the data is always encrypted before the data is sent to the Google servers for a checkup. Thus there is no way to watch the data. The data is always stored in your local machine and is always hashed and encrypted, which helps in protecting your data.
There are also other services which offer the same type of service. A company like 1password also provides similar service along with watchtower integration, which helps in comparing the passwords in "Have I been Pwned’s" database, which has a more extensive database of breached data. The service charges for the service it offers. On the other hand, the service provided by Google is free of cost, and also there is a built-in password generator that helps in generating new passwords in case if you find your data is suffering the data breach.
While it looks like a handy service, it brings the question of how our data is safe. There are services like "Web Authentication", which will replace your password with a tiny hardware device by means only you can have the authorization to access which is very promising, but there are very few websites available for now which has support for the promising standard.
There is also another service called two-factor authentication, which is one of the useful functions offered on the internet, but that too has its limitations. The two-factor authentication uses text messages and calls for the service. The SS7 network is shared with every telecom operator, which helps in managing the calls and text between cellular networks. Theoretically, the SS7 system is limited to the telecom operators, but hijacking service is available on hacker's forum.
There is no 3rd party service to attack the network directly. According to positive technology researchers, it doesn't need much effort to hijack the system. The most targeted users are those who use bitcoin wallets because the bitcoin transactions are irreversible, and the attack is done and works well as any other web attacks. Some try to make those attacks over SMS, and some try to break the carrier account and break the barrier to set up call forwarding.
Very few steps are there to protect you from this type of attack. For instance, Google, coin base and some others offer app-based services which help in generating one time passwords so that you will find a new password every time you try to log in. Many companies still use SMS based authentication as a 2nd factor. The attacks will still be continued as long as the following service is used for two-factor authentication.
