I sure would like to understand the security side of Google checking my Passwords. Does that feel a bit invasive? So in some mysterious computer way Google has my passwords to compare with compromised ones. I still rely on 1Password. But, of course the Google check is a different feature.
PS. Always enjoy your content.
—–
Paddy Zoller
It certainly sounds safe, according to what I have read. For those that don't know, Google has a special extension for the Chrome browser that will warn you if a password you are using has been compromised.
The way it supposedly works is that the password you are using is encrypted and hashed, and then that version of it is sent to Google and compared to lists of passwords that hackers already have. If there is a match, you get a warning to change your password.
What does "hashed" mean? Well, imagine your password was "abc." Imagine a very simple hash where each letter is converted to its number and the total added. So a=1, b=2, c=3. Your hash for abc is 6. That is what is sent to Google. If there is a password abc in the list of compromised passwords, then that also has a hash of 6 and there is a match — you get a warning. But if Google wanted to steal your password, they couldn't do it. 6 could be abc, or bbb, or cab, or aaaab, etc. They all have a hash of 6. So you may get a false positive in the test, but you can't figure out what your password is based on the hash. The more complex the hash, the less chance of a false positive and also the less chance reverse-engineering your password from it. And they are using a very complex hash, I'm sure. It is easy to do so.
Actually, 1Password already uses a very similar system (https://support.1password.com/watchtower/).
However, if you are using randomly-generated password and a unique one for every site, then it is unlikely that Google or 1Password's password-checking systems are needed. But you also have to stay alert to the news and when you hear of a major breach at any of the sites/services that you use, you need to change you password at that site/service.