Google's password verification feature slowly spread throughout the Google ecosystem over the past year. It started as a "Password Checkup" extension for Chrome desktop versions, which checked individual passwords as they were typed. Several months later, it has been integrated into every Google Account as an on-demand checker that you can run on all your saved passwords. Instead of a Chrome extension, Password Checkup is now integrated into the desktop and mobile versions of Chrome 79.
All of these password verification features work for people whose usernames and password combinations are stored in Chrome and synced to Google's servers. Because Google has a large (encrypted) database of all your passwords, it could also compare them to a 4 billion public list of compromised usernames and passwords that have been exposed to countless security holes over the years. Each time Google makes a match, you will be notified that a particular set of credentials is public and insecure and that you should probably change your password.
Enlarge / How password verification works.
The whole point is safety. Therefore, Google compares your encrypted credentials with an encrypted list of compromised credentials. First, Chrome sends an encrypted 3-byte hash. If it matches, it sends your local computer a database of all potentially matching usernames and passwords in the invalid credentials list that were encrypted with a key from Google. Then you'll get a copy of your Passwords that are encrypted with two keys – one is your ordinary private key and the other is the same key that is used for Google's list of invalid credentials. Enter your private key and leave your Google key encrypted username and password, which can be compared to the Google key encrypted database with incorrect credentials. According to Google, this technique, referred to as a "private set intersection," means that you do not see Google's list of incorrect login credentials and you do not know your credentials, but the two can be compared for similarities.
Creating password verification in Chrome should make password monitoring more mainstream. Only the most security-conscious people would search and install the Chrome extension or perform the full password verification at passwords.google.com. These individuals are likely to have better password hygiene first. If you integrate the feature into Chrome, it will be presented to mainstream users who typically do not consider password security. These are the very people who need these kinds of things. This is also the first time that password verification is available on mobile devices, as Chrome mobile devices still do not support extensions (Google plz).
Google says, "Currently, this will be phased in for anyone who signs in to Chrome as part of our secure browsing protection." Users can control the feature in the "Sync and Google services" section of Chrome settings. If you're not signed in to Chrome and you're not syncing your data with Google's servers, the feature will not work.
Because Password Checkup is built into Chrome, the extension is no longer really useful. The web version is still great as a full password check for all Google-stored passwords. The Chrome built-in version continuously checks your passwords as you type.