New tools on Chrome & Edge will make it easier for browser users to discover – & change – compromised passwords.
2 major browsers –Microsoft Edge & Google Chrome – are launching default features, which they say will better help notify users if their password has been compromised as part of a breach or database exposure.
Edge & Chrome’s moves signify a bigger drive by browsers to solve the big “password problem” plaguing the security industry for years. In the last 2 years, major browsers (including Mozilla Firefox) have launched built-in tools for helping users identify passwords that are increasingly caught up in data breaches, & easily change them.
Microsoft last Thurs. commented that its next version of Edge (version 88.0.705.50) will generate alerts if a user password is found in an online leak. The tool, called Password Monitor, will check users’ passwords against a data repository of known, breached credentials.
If the passwords saved to the browser matches those on a list of leaked credentials, Password Monitor will send users alerts & prompt them to update their password.
“To ensure security & privacy, user passwords are hashed & encrypted when they’re checked against the database of leaked credentials,” explained Microsoft.
Also, Microsoft’s newest Edge version will include a built-in “strong password generator,” which it hopes will promote strong passwords for internet users who are signing up for a new account or changing an existing password.
Security experts were pleased at the new measures. “By having the password management feature in the browsers look for compromised credentials, it allows the potential victim to change the password in other places before it impacts them,” Erich Kron, Security Awareness Advocate at KnowBe4 outlined.
“Hopefully, it will also demonstrate to the individual the importance of not reusing passwords across multiple services.”
Google Chrome’s Password Protections
also, Google last week announced it will introducing new features that will consolidate its password protections – & make them for seamless for users – in Chrome 88 over the coming weeks. Chrome 88 will give allow users to launch a simple check to identify any weak passwords & “take action easily.”
By navigating to the top of their browser & clicking on passwords & “Check Passwords,” users are able to easily check whether all of their passwords have been compromised in a breach, & on the same page edit their passwords to choose safer alternatives if need be.
Chrome already alerts users if their passwords have been compromised & prompts them to update – However, the idea here is to give users the ability to update multiple usernames & passwords easily all in one place.
“That’s why starting in Chrome 88, you can manage all of your passwords even faster & easier in Chrome Settings on desktop & iOS (Chrome’s Android app will be getting this feature soon, too),” outlined Google.
Chrome also provided an update on its existing password protection tools, including Safety Check, launched in 2020, which tells Chrome users if passwords the have asked the browser to remember have been compromised. Google commented as a result of Safety Check it has seen a 37% reduction in compromised credentials stored in Chrome.
With data breaches continuing to hit companies, attackers are accessing credentials broadly. However, compromised data isn’t leading to actionable changes by consumers – a 2020 survey found that half of respondents hadn’t changed their password in the last 12 months – even after they heard about a data breach on the news.
This “password problem” has challenged the security industry for years, with companies dealing with issues like poor password hygiene, password reuse or easy-to-guess passwords.
To make matters worse, passwords are appearing all over the place online as part of major data breaches – but victims are not changing their passwords at all across various platforms.
The Collection #1 data dump in 2019 for instance, which included 773m credentials, & subsequent Collection #2-5 dumps, show exactly how many passwords are available on the Dark Web & underground forums.
“Password compromise is a huge ongoing issue leading to everything from data breaches to ransomware or other malware infections,” Kron observed.
“This in large part due to the practice of credential stuffing. This is where cybercriminals take known usernames & passwords from previous breaches & attempt to use them on other services. Knowing that people tend to reuse passwords across multiple services, they know the odds of success are worth the effort.”
Lamar Bailey, Senior Director of Security Research with Tripwire, commented that passwords are “the Achilles heel of cybersecurity.”
“The vast majority of breaches start with stolen, weak or reused passwords,” Bailey stated.
“Our brains can’t keep up with a long list of passwords that map to all of the various sites, assets & services we access on a given day. 3rd-party password vaults… have become the de facto standard to solve this problem. With the latest update, Chrome & Edge will be competing with these 3rd-party products by offering some of the same features.”