Google said Tuesday that it’s ensuring that password security straddles both your phone, your PC, and your Chromebook. The company is bringing Password Checkup, a feature it introduced to Chrome in 2019, to Android.
Password Checkup simply ensures that a password you either pick or are currently using hasn’t been exposed in a password breach. Every year or so password files at major sites are breached and leaked to the web. Knowing if your password has been stolen and compromised is a significant part of maintaining your online security.
The best password managers
Why your browser’s password manager isn’t good enough
5 alarming facts in honor of World Password Day
Google is bringing Password Checkup to Android versions 9 and later, via what it calls Autofill for Google. “Whenever you fill or save credentials into an app, we’ll check those credentials against a list of known compromised credentials and alert you if your password has been compromised,” Arvind Kumar Sugumar, a software engineer with the Android team, wrote in a blog post announcing the move.
That popup alert, shown in the image above, will also bring you to the Password Manager page, where you can review your passwords—and, more importantly—check to see if any passwords have been compromised or duplicated. Google, like Microsoft or any number of free password managers, will store your passwords in a secure vault. To let Google select a randomized password for you, you can access the service’s password-creation field, long-press it, and then select “Autofill.”
You’ll need to make sure to have Autofill enabled on your Android device before you can do that. To do so, follow the following instructions.
- Open your phone’s Settings app
- Tap System > Languages & input > Advanced
- Tap Autofill service
- Tap Google to make sure the setting is enabled
Your phone will send an encrypted hash of the database to Google, with the first two bytes unencrypted to partition the database. Google said, however, that it will send a list of breached credentials that share the same prefix back to your device. There, your device will privately confirm whether your password has been compromised—Google won’t know anything about it.