A big problem with passwords is that people use the same one over and over. This means that hackers who steal a password for one website—like for a hotel reward program—can often use it in many other places—such as to unlock their bank account. As a result, compromised passwords can turn into a skeleton key for hackers break into many parts of a victim’s digital life.
To reduce this risk, Google is rolling out a nifty tool that warns users when they visit the website of a company that’s been the victim of a data breach, and warns them if their password has been compromised.
Google announced the new tool on Wednesday, alongside a service where users can audit all of their passwords to see if any have been exposed to hackers.
Google developed the Chrome browser-based tool by scanning the open web for exposed passwords, and working with security firms that survey the so-called dark web—where hackers sell passwords obtained in bulk from data breaches at companies like Marriott and Dunkin’ Donuts.
While security sites like haveibeenpwned.com require consumers to plug in their email addresses to see if has been involved in a data breach, Google’s initiative promises to spread awareness about these vulnerabilities to many more people.
In practice, this may mean that when a Chrome user visits a site like Ancestry.com (site of another large data breach), they will be warned that their password for the site is circulating among hackers—a good prompt to change it.
Google’s new warning process is not automatic, however. It requires users to take a step beyond using the auto-fill tool on Chrome, which saves passwords for next time a user visits a website. In order to use the warning service, consumers must go to Google’s Password Management site and turn on a “sync” feature. Doing so will allow Google to store all of a user’s saved passwords, and inform them if any have been compromised in a breach.
But this “sync” feature may be alarming to some web users, as it amounts to putting all of your eggs (or passwords) in one basket, where they could theoretically be at risk to hackers, or someone at Google.
Mark Risher, a security executive at Google, says this risk is minimal, however. In a call with Fortune, he likened storing passwords with Google to putting one money in the bank.
“You want to put your eggs in the most secure place possible like a bank, which has one job when it comes to security. And Google is most the security-minded company there is,” Risher says, adding the company has elaborate systems to protect passwords from insider threats.
In order to use the security audit feature, users can go to the Password Manager page, where a “check-up” will display all of their passwords, showing which have been reused and which have been exposed in a breach. The check-up also highlights users’ weak, easy-to-guess passwords.
According to Risher, a recent survey shows that 24% of Americans use one of ten notoriously guessable passwords like “123456” or “password,” while one third use their birthdays’ or kids names as passwords.
In the case of reused passwords, the risk from them has increased in recent years, as hackers have found new ways to exploit them. This includes a recent wave of shakedown emails where scammers display the password and tell users they’ve broken into their computers and obtained their porn watching behavior—and then demand a Bitcoin payment not to reveal it.
Google’s new password security audit feature is now available, while the tool that warns users about compromised websites will roll out in coming weeks.
Meanwhile, Google also announced a series of other privacy measures on Wednesday, including “Incognito mode” for maps and a tool to automatically delete browsing history in YouTube.