Google Chrome is uploading my password to their password leak API?

Question

I'm curious, I was logging into a website to download some trial software, in the mean time Chrome popped up asking if I wanted to save that password to their manager. I said 'Never' as usual, but I noticed they sent my password I typed regardless to their website url 'passwordleakcheck-pa.googleapis.com'Anyone have any insight? This doesn't feel right.edit: There's the likelihood it's the other way around? They're downloading a big list of leaked hashes and checking it locally...

viberncg · Accepted Answer

It's this: https://chromium.googlesource.com/chromium/src/+/HEAD/compon...

m3drano · Answer

"Chrome first sends an encrypted, 3-byte hash of your username to Google, where it is compared to Google's list of compromised usernames. If there's a match, your local computer is sent a database of every potentially matching username and password in the bad credentials list, encrypted with a key from Google. You then get a copy of your passwords encrypted with two keys&mdash;one is your usual private key, and the other is the same key used for Google's bad credentials list. On your local computer, Password Checkup removes the only key it is able to decrypt, your private key, leaving your Google-key-encrypted username and password, which can be compared to the Google-key-encrypted database of bad credentials. Google says this technique, called "private set intersection," means you don't get to see Google's list of bad credentials, and Google doesn't get to learn your credentials, but the two can be compared for matches." https://arstechnica.com/gadgets/2019/12/googles-password-che...

worldsavior · Answer

> I said 'Never' as usualThen turn off password saving in chrome settings.The password is hashed, it doesn't hurt.