The new tools on Chrome and Edge will make it easier for browser users to discover – and change – compromised passwords.
<div class="c-article__content js-reading-content"> <p>Two major browsers –Microsoft Edge and Google Chrome – are rolling out default features, which they say will better help notify users if their password has been compromised as part of a breach or database exposure.</p> <p>Edge and Chrome’s moves signify a bigger push by browsers to solve the <a href="https://threatpost.com/troy-hunt-messy-password-problem/145439/" target="_blank" rel="noopener noreferrer">big “password problem”</a> plaguing the security industry. Over the past two years, major browsers (including <a href="https://threatpost.com/mozilla-announces-firefox-monitor-tool-testing-firefox-61/133087/" target="_blank" rel="noopener noreferrer">Mozilla Firefox)</a> have launched built-in tools for helping users identify passwords that are increasingly wrapped up in data breaches – and easily change them.</p> <h2>Microsoft Password Monitor</h2> <p>Microsoft <a href="https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnote-stable-channel" target="_blank" rel="noopener noreferrer">on Thursday</a> said that its next version of Edge (version 88.0.705.50) will generate alerts if a user password is found in an online leak. The tool, called Password Monitor, will check users’ passwords against a data repository of known, breached credentials. If the passwords saved to the browser matches those on a list of leaked credentials, Password Monitor will send users alerts and prompt them to update their password.</p> <p><a href="https://threatpost.com/newsletter-sign/"><img loading="lazy" class="aligncenter wp-image-141989 size-full" src="https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg" alt="" width="700" height="50"></a></p> <p>“To ensure security and privacy, user passwords are hashed and encrypted when they’re checked against the database of leaked credentials,” said Microsoft.</p> <p>In addition, Microsoft’s newest Edge version will include a built-in “strong password generator,” which it hopes will promote strong passwords for internet users who are signing up for a new account, or changing an existing password.</p> <p>Security experts applauded the new measures. “By having the password management feature in the browsers look for compromised credentials, it allows the potential victim to change the password in other places before it impacts them,” Erich Kron, security awareness advocate at KnowBe4 told Threatpost. “Hopefully, it will also demonstrate to the individual the importance of not reusing passwords across multiple services.”</p> <h2>Google Chrome’s Latest Password Protections</h2> <p>Meanwhile, <a href="https://security.googleblog.com/2021/01/new-year-new-password-protections-in.html" target="_blank" rel="noopener noreferrer">Google this week announced</a> it will introducing new features that will consolidate its password protections – and make them for seamless for users – in Chrome 88 over the coming weeks. Chrome 88 will give allow users to launch a simple check to identify any weak passwords and “take action easily.” By navigating to the top of their browser and clicking on passwords and “Check Passwords,” users are able to easily check whether all of their passwords have been compromised in a breach – and on the same page edit their passwords to choose safer alternatives if need be.</p> <p>Chrome <a href="https://threatpost.com/google-adds-password-checkup-feature-to-chrome-browser/148838/" target="_blank" rel="noopener noreferrer">already alerts users if their passwords have been compromised</a> and prompts them to update – However, the idea here is to give users the ability to update multiple usernames and passwords easily all in one place.</p> <p>“That’s why starting in Chrome 88, you can manage all of your passwords even faster and easier in Chrome Settings on desktop and iOS (Chrome’s Android app will be getting this feature soon, too),” said Google.</p> <p>Chrome also provided an update on its existing password protection tools, including Safety Check, launched in 2020, which tells Chrome users if passwords they’ve asked the browser to remember have been compromised. Google said as a result of Safety Check it has seen a 37 percent reduction in compromised credentials stored in Chrome.</p> <h2>Password Health Continues to Fail</h2> <p>With data breaches continuing to hit companies, attackers are accessing credentials across the board. However, compromised data isn’t leading to actionable changes by consumers – in fact <a href="https://threatpost.com/threatlist-people-know-reusing-passwords-is-dumb-but-still-do-it/155996/" target="_blank" rel="noopener noreferrer">a 2020 survey found that half of respondents</a> hadn’t changed their password in the last year – even after they heard <a href="https://threatpost.com/healthcare-giant-magellan-ransomware-data-breach/155699/" target="_blank" rel="noopener noreferrer">about a data breach</a> in the news. This “password problem” has challenged the security industry for years, with companies grappling with issues like poor password hygiene, password reuse or easy-to-guess passwords. Making matters worse, passwords are appearing left and right online as part of major data breaches – yet victims aren’t changing their passwords at all across various platforms. The <a href="https://threatpost.com/773m-credentials-dark-web/140972/" target="_blank" rel="noopener noreferrer">Collection #1</a> data dump in 2019 for instance, which included 773 million credentials, and subsequent <a href="https://threatpost.com/collection-1-data-dump-hacker-identified/141447/" target="_blank" rel="noopener noreferrer">Collection #2-5 dumps</a>, show exactly how many passwords are available on the Dark Web and underground forums.</p> <p>“Password compromise is a huge ongoing issue leading to everything from data breaches to ransomware or other malware infections,” Kron said. “This in large part due to the practice of credential stuffing. This is where cybercriminals take known usernames and passwords from previous breaches and attempt to use them on other services. Knowing that people tend to reuse passwords across multiple services, they know the odds of success are worth the effort.”</p> <p>Lamar Bailey, senior director of security research with Tripwire, said that passwords are “the Achilles heel of cybersecurity.”</p> <p>“The vast majority of breaches start with stolen, weak or reused passwords,” Bailey said. “Our brains can’t keep up with a long list of passwords that map to all of the various sites, assets and services we access on a given day. Third-party password vaults… have become the de facto standard to solve this problem. With the latest update, Chrome and Edge will be competing with these third-party products by offering some of the same features.”</p> <p><strong>Download our exclusive </strong><a href="https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook" target="_blank" rel="noopener noreferrer"><strong>FREE Threatpost Insider eBook</strong></a> <em><strong>Healthcare Security Woes Balloon in a Covid-Era World</strong></em><strong>, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and </strong><a href="https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook" target="_blank" rel="noopener noreferrer"><strong>DOWNLOAD the eBook now</strong></a><strong> – on us!</strong></p> <p> </p> <footer class="c-article__footer"> <div class="c-article__footer__container"> <div class="c-article__footer__col"> <a href="#discussion" class="c-button c-button--secondary">Write a comment</a> </div> <div class="c-article__footer__col"> <div class="c-article__sharing"> <p><strong>Share this article:</strong></p> <nav class="c-nav-sharing"> <div class="social-likes social-likes_notext" data-title="Microsoft Edge, Google Chrome Roll Out Password Protection Tools" data-url="https://threatpost.com/microsoft-edge-google-chrome-roll-out-password-protection-tools/163272/" data-counters="yes" data-zeroes="yes"><div class="facebook" title="Share via Facebook"></div> <div class="twitter" title="Share via Twitter"></div><div class="linkedin" title="Share via LinkedIn"></div> <div class="reddit" title="Share via Reddit"></div> <div class="flipboard" title="Share via Flipboard"></div> </div> </nav> </div> </div> </div> <div class="c-article__footer__container"> <div class="c-article__footer__col"></div> <div class="c-article__footer__col"> <ul class="c-list-categories"> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/web-security/">Web Security</a></li> </ul> </div> </div> </footer> </div>