Chrome Password Checkup (2026)

Last updated: April 17, 2026

Chrome Password Checkup: Complete Guide for Developers and Power Users

Chrome’s built-in password checkup feature provides a powerful first line of defense against credential-based attacks. For developers and power users managing numerous accounts across development environments, staging servers, and production services, understanding how to use this tool effectively can prevent security breaches before they occur.

What Chrome Password Checkup Actually Does

Chrome’s password checkup operates on three distinct security fronts: compromised credential detection, password strength analysis, and uniform password identification. The feature integrates directly with Google’s underground database of billions of credentials that have appeared in known data breaches.

When Chrome detects you entering credentials on a website, it hashes the username and compares it against this breach database. If a match appears, Chrome immediately flags the credential as compromised and prompts you to change it. This happens entirely client-side, your actual credentials never leave your device in plaintext form.

The Technical Foundation

Chrome uses k-anonymity to protect your data during the checkup process. Here’s how it works conceptually:

Your password gets transformed using a salted hash
Only the first few characters of the hash get sent to Google’s servers
Google returns all matching compromised passwords
Your local browser completes the comparison

This approach means Google never sees your actual password or even its full hash. The implementation demonstrates how security tools can balance user protection with privacy requirements.

The same k-anonymity protocol powers the HaveIBeenPwned API. You can replicate the logic locally to understand the mechanics:

import hashlib
import requests
def check_password_pwned(password: str) -> int:
 """
 Returns the number of times a password appears in breach data.
 Uses k-anonymity: only the first 5 hex chars of the SHA-1 hash are sent.
 """
 sha1 = hashlib.sha1(password.encode('utf-8')).hexdigest().upper()
 prefix, suffix = sha1[:5], sha1[5:]
 response = requests.get(f"https://api.pwnedpasswords.com/range/{prefix}")
 hashes = (line.split(':') for line in response.text.splitlines())
 for hash_suffix, count in hashes:
 if hash_suffix == suffix:
 return int(count)
 return 0
Usage
count = check_password_pwned("hunter2")
if count > 0:
 print(f"Password found {count} times in breach data. Change it immediately.")
else:
 print("Password not found in known breaches.")

This is functionally equivalent to what Chrome does internally. the network payload reveals only the first 5 characters of a SHA-1 hash, making it computationally infeasible to reconstruct the original password from intercepted traffic.

Accessing Password Checkup in Chrome

Chrome provides multiple entry points for running password checks across your saved credentials.

Method 1: Settings-Based Checkup

Navigate to Chrome settings and access the password manager:

chrome://settings/passwords

Look for the “Check passwords” option under the saved passwords section. Chrome will scan your entire credential vault and present a detailed report showing:

Number of compromised passwords
Weak passwords lacking sufficient complexity
Passwords used across multiple sites (uniform passwords)

You can also reach the password safety check directly:

chrome://settings/safetyCheck

This surface shows password issues alongside other browser health metrics like outdated extensions and Safe Browsing status. useful when you want a full picture of your browser’s security posture in one place.

Method 2: Extension-Based Access

For developers who prefer keyboard-driven workflows, Chrome’s password checkup integrates with the Chrome Web Store. Search for “Password Checkup” to find Google’s official extension, which provides:

Real-time alerts when visiting sites with compromised credentials
Dashboard view of all security issues
One-click navigation to affected login pages

Method 3: Command-Line Verification (For Advanced Users)

While Chrome doesn’t offer a native CLI for password checkup, developers can export their credentials for analysis using Chrome’s built-in export feature. This allows custom scripting:

Export passwords from Chrome (creates CSV file)
Navigate to: chrome://settings/passwords
Click "Export passwords" button
Analyze exported passwords with custom tools
python3 analyze_passwords.py exported_passwords.csv

A more thorough local analysis script that evaluates password strength and breach status:

import csv
import hashlib
import requests
import re
import time
def assess_strength(password: str) -> str:
 """Score password strength: weak / fair / strong"""
 if len(password) < 8:
 return "weak"
 has_upper = bool(re.search(r'[A-Z]', password))
 has_lower = bool(re.search(r'[a-z]', password))
 has_digit = bool(re.search(r'\d', password))
 has_special = bool(re.search(r'[^A-Za-z0-9]', password))
 score = sum([has_upper, has_lower, has_digit, has_special])
 if len(password) >= 16 and score >= 3:
 return "strong"
 if len(password) >= 12 and score >= 2:
 return "fair"
 return "weak"
def check_pwned(password: str) -> int:
 sha1 = hashlib.sha1(password.encode()).hexdigest().upper()
 prefix, suffix = sha1[:5], sha1[5:]
 r = requests.get(f"https://api.pwnedpasswords.com/range/{prefix}", timeout=5)
 for line in r.text.splitlines():
 h, count = line.split(':')
 if h == suffix:
 return int(count)
 return 0
def analyze_export(filepath: str):
 results = {"compromised": [], "weak": [], "reused": []}
 seen_passwords = {}
 with open(filepath, newline='', encoding='utf-8') as f:
 reader = csv.DictReader(f)
 entries = list(reader)
 for entry in entries:
 name = entry.get('name', entry.get('url', 'Unknown'))
 pwd = entry.get('password', '')
 username = entry.get('username', '')
 # Track reuse
 if pwd not in seen_passwords:
 seen_passwords[pwd] = []
 seen_passwords[pwd].append(name)
 # Strength check
 strength = assess_strength(pwd)
 if strength == "weak":
 results["weak"].append({"site": name, "username": username})
 # Breach check (rate-limited)
 count = check_pwned(pwd)
 if count > 0:
 results["compromised"].append({
 "site": name,
 "username": username,
 "breach_count": count
 })
 time.sleep(0.15) # Respect rate limits

 # Identify reused passwords
 for pwd, sites in seen_passwords.items():
 if len(sites) > 1:
 results["reused"].append({"sites": sites, "count": len(sites)})
 return results
if __name__ == "__main__":
 import json
 report = analyze_export("exported_passwords.csv")
 print(json.dumps(report, indent=2))

Running this against your Chrome export gives you a full triage report before you even open the browser UI.

Practical Applications for Developers

Monitoring Development Environment Credentials

Developers often maintain separate accounts for development, staging, and production environments. Password checkup helps identify:

Compromised development credentials that might signal an active attack
Weak passwords on staging environments that is exploited
Uniform passwords across different environment tiers

A common mistake is using the same password on dev, staging, and production. If your dev database has a weak admin password and that environment is publicly reachable, an attacker can use it as a pivot to understand your architecture even before reaching production.

Credential Risk by Environment Tier

Environment	Risk Level	Recommended Practice
Local dev	Low	Unique password acceptable; no prod data
Staging (private)	Medium	Unique strong password; rotate quarterly
Staging (public URL)	High	Strong unique password; MFA if supported
Production	Critical	Strong unique password; MFA mandatory; rotate on incidents
CI/CD service accounts	Critical	Machine-generated secrets; rotate via automation
Shared team accounts	High	Password manager + shared vault; avoid where possible

CI/CD Pipeline Security

Integrate password checkup concepts into your security pipeline:

Check if deployment credentials appear in breach databases
Using haveibeenpwned API (for educational purposes)
#!/bin/bash
EMAIL="[email protected]"
Query HIBP API for breach occurrences
RESPONSE=$(curl -s "https://haveibeenpwned.com/api/v3/breachedaccount/$EMAIL")
if [ -n "$RESPONSE" ]; then
 echo "Warning: Email found in data breaches"
 echo "$RESPONSE" | jq '.[].Name'
fi

Extend this into a GitHub Actions workflow that alerts on each deploy:

.github/workflows/credential-check.yml
name: Credential Breach Check
on:
 schedule:
 - cron: '0 9 * * 1' # Every Monday at 9 AM
 workflow_dispatch:
jobs:
 breach-check:
 runs-on: ubuntu-latest
 steps:
 - name: Check deploy email for breaches
 run: |
 EMAIL="${{ secrets.DEPLOY_EMAIL }}"
 RESPONSE=$(curl -s \
 -H "hibp-api-key: ${{ secrets.HIBP_API_KEY }}" \
 -H "user-agent: CredentialAudit/1.0" \
 "https://haveibeenpwned.com/api/v3/breachedaccount/${EMAIL}")
 if [ -n "$RESPONSE" ]; then
 echo "::warning::Deploy email found in breach: $RESPONSE"
 exit 1
 else
 echo "No known breaches found."
 fi

API Key Management Considerations

While Chrome’s password checkup focuses on website credentials, developers should apply similar vigilance to API keys. Consider these practices:

Rotate API keys regularly, especially after security incidents
Store API keys in environment variables rather than hardcoding
Use secret management services like HashiCorp Vault or AWS Secrets Manager

You can scan your own repositories for accidentally committed secrets using truffleHog or gitleaks:

Scan your entire git history for secrets
docker run --rm -v "$(pwd):/repo" trufflesecurity/trufflehog:latest \
 git file:///repo --only-verified
Or with gitleaks
gitleaks detect --source . --verbose

Both tools flag API keys, tokens, and passwords that were committed at any point in history. not just in the current working tree.

Understanding the Security Tradeoffs

Password Manager Comparison for Developers

Tool	Breach Monitoring	CLI Support	Self-Hostable	Team Sharing	Open Source
Chrome Password Manager	Yes (k-anon)	No	No	No	No
Bitwarden	Yes (HIBP)	Yes	Yes	Yes	Yes
1Password	Yes	Yes (op CLI)	No	Yes	No
Passbolt	Manual	Yes	Yes	Yes	Yes
gopass	Manual	Yes	Yes	Yes	Yes
LastPass	Yes	No	No	Yes	No

What Password Checkup Doesn’t Cover

Chrome’s password checkup has intentional limitations:

It only checks credentials saved in Chrome’s password manager
It doesn’t monitor credentials stored in third-party password managers
It doesn’t check passwords you haven’t saved in Chrome yet
The service only covers known breaches, zero-day exposures won’t appear

For developers these gaps matter. If you use Firefox for one project and Chrome for another, Chrome’s checkup has zero visibility into Firefox’s saved credentials. A multi-browser workflow requires either a dedicated password manager that works across browsers or separate audits for each.

Privacy Considerations

Despite the k-anonymity implementation, some users prefer not to use browser-based password checking. Alternatives include:

Dedicated password managers with breach monitoring (Bitwarden, 1Password)
Self-hosted solutions like Passbolt
Command-line tools like gopass with manual breach checking

If privacy is the primary concern, you can perform the entire HIBP lookup entirely offline by downloading the HIBP password hash database (approximately 12 GB compressed) and running checks against a local copy:

Download the HIBP SHA-1 ordered list (large file)
https://haveibeenpwned.com/Passwords - use the torrent for efficiency
Check a password hash locally without any network request
echo -n "mysecretpassword" | sha1sum | tr '[:lower:]' '[:upper:]' | \
 awk '{print $1}' | \
 xargs -I{} grep -c "^{}" pwnedpasswords_sha1_ordered_by_hash.txt

This produces a fully air-gapped breach check appropriate for high-security environments.

Automating Password Health Checks

For teams managing multiple accounts, consider implementing automated password rotation reminders:

// Example: Simple script to check password age from Chrome export
const fs = require('fs');
const Papa = require('papaparse');
const passwords = Papa.parse(fs.readFileSync('passwords.csv', 'utf8'), {
 header: true,
 skipEmptyLines: true
});
const thirtyDaysAgo = new Date();
thirtyDaysAgo.setDate(thirtyDaysAgo.getDate() - 30);
const oldPasswords = passwords.data.filter(entry => {
 // Note: Chrome export format may vary
 const lastUsed = new Date(entry.date_last_used || entry.date_created);
 return lastUsed < thirtyDaysAgo;
});
console.log(`Found ${oldPasswords.length} passwords older than 30 days`);

You can extend this into a full rotation reminder system that posts to Slack:

const { IncomingWebhook } = require('@slack/webhook');
const fs = require('fs');
const Papa = require('papaparse');
const WEBHOOK_URL = process.env.SLACK_WEBHOOK_URL;
const ROTATION_DAYS = 90;
async function auditAndNotify() {
 const webhook = new IncomingWebhook(WEBHOOK_URL);
 const raw = fs.readFileSync('passwords.csv', 'utf8');
 const { data } = Papa.parse(raw, { header: true, skipEmptyLines: true });
 const cutoff = new Date();
 cutoff.setDate(cutoff.getDate() - ROTATION_DAYS);
 const stale = data.filter(entry => {
 const ts = new Date(entry.date_last_used || entry.date_created || 0);
 return ts < cutoff;
 });
 if (stale.length === 0) return;
 const lines = stale
 .slice(0, 10) // Limit to 10 in notification
 .map(e => `• ${e.name || e.url} (${e.username})`)
 .join('\n');
 await webhook.send({
 text: `*Password Rotation Reminder*\n${stale.length} credential(s) not rotated in ${ROTATION_DAYS}+ days:\n${lines}`
 });
}
auditAndNotify().catch(console.error);

Run this as a weekly cron job and your team gets a Slack alert before credentials go stale.

Integrating with Developer Tooling

VS Code Extension Audit

Developers with large VS Code setups often store service tokens in extension settings. While Chrome’s checkup won’t surface these, you can audit them via the VS Code CLI:

List all installed extensions and check for known vulnerable versions
code --list-extensions --show-versions | \
 awk -F@ '{print $1 " " $2}' > installed_extensions.txt
Check each against the VS Marketplace for security advisories
(requires marketplace API access or manual review)
cat installed_extensions.txt

Combine this with periodic review of ~/.config/Code/User/settings.json to ensure no tokens or API keys have been pasted inline during debugging sessions.

Git Configuration Security

Check your global git config for accidentally persisted credentials:

View all configured credential helpers and stored credentials
git config --global --list | grep credential
If using git-credential-store (plaintext file), audit it
cat ~/.git-credentials 2>/dev/null || echo "No credential store found"
Better: use git-credential-manager or osxkeychain
git config --global credential.helper osxkeychain # macOS
git config --global credential.helper manager # Windows/Linux via GCM

The plaintext ~/.git-credentials file is a common source of credential exposure on developer machines. it stores tokens in plain text, and any process or script running under your user account can read it without prompting.

Best Practices for Developer Password Hygiene

Enable two-factor authentication everywhere possible, especially for code repositories
Use unique passwords for each service. never reuse credentials across environments
Rotate credentials on a regular schedule, particularly after team member departures
Audit access logs for suspicious activity, particularly on production services
Educate team members about phishing indicators and credential security
Use machine-generated secrets for CI/CD. services like GitHub Actions, GitLab CI, and CircleCI all provide built-in secret management; use them instead of copying credentials from a password manager
Check newly onboarded services. every time you sign up for a new tool, run a password checkup immediately to confirm the account is using a unique, strong credential
Set Chrome’s password manager to generate passwords rather than typing your own. Chrome’s generator uses cryptographically secure randomness and stores the result automatically

Password Strength Quick Reference

Length	Character Set	Entropy	Time to Crack (Modern GPU)
8 chars	lowercase only	~37 bits	Seconds
8 chars	mixed case + digits	~47 bits	Hours
12 chars	mixed case + digits + symbols	~79 bits	Centuries
16 chars	mixed case + digits + symbols	~105 bits	Practically infinite
20 chars	any printable	~131 bits	Beyond heat death of universe

For developer accounts with privileged access (GitHub org owner, AWS root, production database), treat 16+ characters as the floor, not the ceiling.

Conclusion

Chrome password checkup provides a valuable layer of security for developers and power users. Its integration with the browser makes it convenient for quick audits, while the k-anonymity approach demonstrates thoughtful privacy implementation. However, it works best as part of a comprehensive password management strategy rather than as a standalone solution.

For developers managing multiple environments and services, combining Chrome’s built-in checkup with dedicated password managers, regular security audits, and proper secret management practices creates a solid security posture. Automating breach checks in CI/CD pipelines, scanning git history for leaked secrets, and using machine-generated credentials for service accounts all compound to reduce your credential attack surface significantly.

The key is treating password security as an ongoing process rather than a one-time configuration. Schedule monthly checkups, automate what you can, and build the habit of running a breach check any time you onboard a new service or rotate a team member off a project.

I'm a solo developer in Vietnam. 50K Chrome extension users. $500K+ on Upwork. 5 Claude Max subscriptions running agent fleets in parallel. These are my actual CLAUDE.md templates, orchestration configs, and prompts. Not a course. Not theory. The files I copy into every project before I write a line of code. **[See what's inside →](https://zovo.one/lifetime?utm_source=ccg&utm_medium=cta-default&utm_campaign=chrome-password-checkup)** $99 once. Free forever. 47/500 founding spots left.