Dec 11, 2019 16:00:00

Google explains the mechanism of `` password protection function '' enhanced with Chrome 79

On December 11, 2019,

version 79.0.3945.79 of the web browser ' Google Chrome ' was released. Google has announced that 'version 79 will gradually strengthen the password protection function,' and explains the mechanism of the password protection function.

Better password protections in Chrome
https://www.blog.google/products/chrome/better-password-protections/

Google Online Security Blog: Better password protections in Chrome-How it works
https://security.googleblog.com/2019/12/better-password-protections-in-chrome.html

The password protection feature that was enhanced with Chrome 79 is the same as 'Password Checkup' released as an official extension in February 2019. Previously, you had to download and install Password Checkup, but Chrome 79 has a built-in Password Checkup function by default.

Google releases `` Password Checkup '' that checks every time the password used on the Internet is not dangerous due to data breach-gigazine

Google explains that the 'Strengthened Password Protection Function' is divided into the following four steps.

1 ：
Collects usernames and passwords leaked from another company and saves 'encrypted username & password' and '

hash generated from username & password' on Google database. Only Google has the key to breaking this encryption.

2:
When you log in to your Google account with Chrome, your username and password will be encrypted, hashed, and then 'hidden from the account' and sent to Google.

3 ：
Using the technique of ' (PDF file)

Private set intersection with blinding ', the leaked data is compared with the encrypted data sent from Chrome while keeping the sender information hidden.

Four:
Perform a final check locally to see if your data contains your username & password. If the check reveals that your username & password has been leaked, Chrome will display a 'Please change your password' notification.

This enhanced password protection feature will be implemented gradually as part of the Safe Browsing feature that can be configured from the '

Sync & Google Services ' Chrome setting.

Google has also announced a feature called 'Real-time phishing protection' that protects your Chrome password even if you have not enabled account synchronization. The safe browsing function implemented in Chrome so far downloads a `` blacklist '' of dangerous URLs such as malware created by Google and security companies in cooperation with every 30 minutes, It was to compare the URLs entered.

However, the local blacklist is updated every 30 minutes, so some phishing sites slipped through the local blacklist using techniques such as switching domains quickly.

'Real-time phishing protection' compares the URLs entered into Chrome against a list of 'URLs you already know are safe', such as well-known websites stored in your Chrome. If the URL you are trying to access is not on the list, Chrome will perform a blacklist check against Google to evaluate the safety of that URL. According to Google, 'Real-time phishing protection increases the likelihood of protecting users from malicious sites by 30%.' Real-time phishing protection is enabled when 'Improve search and browsing' is turned on in 'Sync and Google services' in Chrome settings, and it will eventually be applied to all users.

In addition, when logged in to Chrome 79, a feature called 'Predictive Phishing Protection' is now enabled. If you enter the password stored in Chrome into a site other than 'URLs already known to be secure', Chrome will check the URL with Google to determine if it is a malicious site. If the review determines that the site is very suspicious or malicious, Chrome will immediately display a warning to change your password.

Google states that 'predictive phishing protection can help protect hundreds of millions more people's data.'