Getty Images
Google is adding its password control feature to Android, giving the mobile operating system the latest company offering users an easy way to see if the passwords they use have been compromised.
Password control works by checking references entered into programs against a list of billions of credentials that have been compromised in the countless website violations that have occurred in recent years. If there is a match, users will receive an alert, along with a link to take them to Google’s password manager page, which provides a way to review the security of all stored references.
Warnings are as follows:
Google introduced Password Checkup in early 2019 in the form of a Chrome extension. In October of that year, the feature made its way to Google Password Manager, a dashboard that examines web passwords stored in Chrome and synced to a Google Account. Two months later, the company added it to Chrome.
Google’s Password Manager makes it easy for users to visit websites directly using bad passwords by clicking the ‘Change Password’ button next to each password that is compromised or weak. The password manager is accessible from every browser, but it only works when users sync credentials with their Google Account password, rather than an optional password.
The new password control was available from Tuesday on Android 9 and higher for users who fill in automatically with Android, a feature that automatically adds passwords, addresses, payment details and other information that is usually filled in in the web and app forms.
The Android AutoFill Framework uses advanced encryption to ensure that passwords and other information are only available to authorized users. Google only has access to user credentials if users 1) have already stored a credential in their Google Account and 2) have been offered to save a new credential through the Android operating system and have chosen to store it in their account.
When a user communicates with a password by filling it out in a form or saving it for the first time, Google uses the same encryption that facilitates the privacy check in Chrome to see if the reference is part of a list of known, compromised passwords. The web application interface only sends passwords that are cryptographically hashed using the Argon2 function to create a search key encrypted with Elliptic Curve cryptography.
In a report published on Tuesday, Google said that the implementation ensures that:
- Only an encrypted hash of the reference leaves the device (the first two bytes of the hash are sent unencrypted to split the database)
- The server provides a list of encrypted parentheses of known offenses that have the same prefix
- The actual determination of whether the entry has been violated takes place locally on the user’s device
- The server (Google) does not have access to the unencrypted hash of the user’s password and the client (User) does not have access to the list of unencrypted hashes of potential violations.
Google has written more about how the implementation works here.
On most Android devices, autofill can be enabled by:
- Open settings
- Typing system> Languages & Input> Advanced
- Type auto-fill service
- Tap Google to make sure the setting is enabled
Separately, Google on Tuesday reminded users of two other security features added to Android Autofill last September. The first is a password generator that will automatically select a strong and unique password and store it in users’ Google Accounts. You can access the generator by long pressing the password field and selecting AutoFill from the pop-up menu.
Users can also configure the Android Autofill to require biometric authentication before adding credentials or payment information to an app or webpage. Biometric authentication can be enabled within autofill with Google settings.