Unlike some similar tools, the tool only looks for breaches that contain the specific combination of username/email address and password. Some other services will carry out one search for the username or email and then another search for the password.
Google's approach does have some benefits because it overcomes the problem that, frankly speaking, any username or email address has probably been involved in at least one security breach at some point. That fact isn't necessarily of any significance or pose a security threat for the particular site the user is visiting right now.
According to Paul Wagenseil of Tom's Guide, the downside to the "Password Checkup" tool is that it can be reverse engineered. For example, hackers may might attempt a
dictionary attack on Google's databases with username / password combinations, which would then reveal information about a particular user. That would be a major security problem if it was successful. (Source:
tomsguide.com)
For its part, Google says it has designed the system "to prevent an attacker from abusing Password Checkup to reveal unsafe usernames and passwords."
It says the key is to make sure the tool can "query Google about the breach status of a username and password without revealing the information queried." To do this, it uses "rounds of hashing, k-anonymity, private information retrieval, and a technique called blinding." (Source:
googleblog.com)
thehackernews.com
