Chrome 79 includes anti-phishing and hacked password protection – Naked Security


Version 79 of Chrome is out, and it promises to do a better job of protecting you against phishing sites and credential stuffing attacks.

Since 2017, Chrome has protected users against phishing by checking the sites you enter your Google credentials into against a list of known phishing sites. It keeps these as part of its Safe Browsing initiative. Google synchronises its list of bad sites with the browser every 30 minutes, but because sites change so quickly, that means users might fall victim to new sites that had come online just minutes earlier.

Chrome 79, released on Tuesday 10 December, now performs that phishing protection in real-time, even for users with the synchronisation feature turned off. The company says this will protect users in 30% more cases. The protection has also been extended to include all the passwords stored in the Chrome password manager rather than just Google accounts. You can turn it on by enabling the ‘Make searches and browsing better’ option in Chrome.

The browser also now includes some other protections. It will now show you more clearly which profile the browser is currently using, which is handy for those sharing a browser and using different profiles. There’s also a feature that Google has been testing out for months: a built-in check for hacked passwords during site logins.

The feature began as a Chrome extension called Password Checkup that warned users their login credentials had been breached. Released in February 2019, it found that 1.5% of all web logins were using breached credentials, according to a Google survey released in August this year. That fuelled Google’s next move, in which it folded the feature directly into Chrome’s password manager. The service still didn’t check your credentials against hacked logins whenever you logged into a website. Instead, it would run the passwords you’d stored in the password manager service periodically to see if it found a match.

The version of Password Checkup integrated into Chrome 79 goes a step further. Now, it runs the check whenever you log into a site. Google is at pains to avoid any suggestion of creepiness or spying as part of this move, so it’s been pretty clever about how it performs the check. It wants to be clear that it doesn’t get to see your login credentials.

When you log into a website, Chrome will now send a hashed copy of your login credentials to Google. A hash creates a unique and reproducible string of text using whichever data you give to it, which identifies the data without revealing it. This data is encrypted in the browser using an encryption key to which only you have access.

Google already used its own key to encrypt the list of hacked login credentials that it sniffed from various sources online. It does the same thing with the credentials that Chrome sends it, encrypting them a second time.