Prevent password reuse

Chrome version 69 or later.

For administrators who manage Chrome Browser or Chrome devices for a business or school.

As a Chrome administrator, you can prevent users from using their password on dangerous websites or on websites that aren’t whitelisted by your organization. Preventing password reuse across multiple websites can protect your organization from compromised accounts.

Before you begin

If your organization uses the Password Alert extension, users might get 2 sets of alerts when they reuse their password. Turn off the extension so that you and your users no longer receive alerts from it. Or, if you want to continue to receive alerts when Password Alert triggers without users getting them, set the Password Alert extension’s display_user_alert setting to false.

Step 1: Review policies

You can set one or more of the following policies:

Policy Description and settings

PasswordProtectionChangePasswordURL

Mandatory if you:

  • Have G Suite and single sign-on (SSO)
  • Don’t have G Suite

Specifies the URL of the webpage where users are redirected to change their password. Users are prompted to change their password if they reuse their password on a non-whitelisted website or are a victim of phishing.

When users change their password, a hashing algorithm scrambles it. The password hash is stored and used to detect password reuse.

Make sure that the change password URL that you specify follows these guidelines.

Unset: G Suite users are redirected to their Google Account to change their password.

PasswordProtectionLoginURLs

Mandatory if you:

  • Have G Suite and SSO
  • Don’t have G Suite

Specifies the URLs of webpages where users usually enter their password to sign in to their account. If a sign-in process is split across 2 pages, add the URL of the webpage where users enter their password.

When users enter their password, its hash is stored and used to detect password reuse.

Make sure that the change password URL that you specify follows these guidelines.

Unset: Chrome will only capture password hash on the sign-in page to detect password reuse.

PasswordProtectionWarningTrigger

Specifies whether password reuse is detected on websites.

Choose one of the options:

0—PasswordProtectionWarningOff: Password reuse is never detected.

1—PasswordProtectionWarningOnPasswordReuse: Password reuse is detected if users reuse their password on a website that you didn’t whitelist. Users are prompted to change their password.

2—PasswordProtectionWarningOnPhishingReuse: If users reuse their password on a website that you didn’t whitelist, Chrome sends the URL to Google Safe Browsing to determine its reputation. If the website contains phishing content, users are prompted to change their password.

Unset:
Defaults to 2—PasswordProtectionWarningOnPhishingReuse, as described above.

SafeBrowsingEnabled

Enables the Safe Browsing feature.

If this policy is turned off, all safe browsing features are turned off, including password protection.

Unset: Safe Browsing is turned on. Users can change it.

SafeBrowsingWhitelistDomains

Specifies the domains that are exceptions to the URLs that appear on Google’s Safe Browsing list. Whitelisted domains are not checked for:
  • Password reuse
  • Phishing and deceptive social engineering sites
  • Sites that host malware or unwanted software
  • Harmful downloads

Unset: URLs listed in PasswordProtectionLoginURLs and PasswordProtectionChangePasswordURL are automatically whitelisted for password reuse detection. All other URLs are checked for Safe Browsing.

Step 2: Set the policies

Open all   |   Close all

Click below for steps, based on how you want to manage these policies.

Admin console
Can apply for signed-in users on any device or enrolled browsers on Windows, Mac, or Linux. For details, see Understand when settings apply.
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome management.

    If you don't see Devices on the Home page, click More controls at the bottom.

  3. Click User & browser settings.
  4. On the left, select the organizational unit where you want to configure settings.
    For all users, select the top-level organization. Otherwise, select a child organization. Initially, an organizational unit inherits the settings of its parent.
  5. Scroll to Chrome Safe Browsing.
  6. For Safe Browsing, choose Always enable Safe Browsing.
  7. For Safe Browsing whitelisted domains, enter the URLs where users are allowed to reuse passwords.
  8. For Disable bypassing Safe Browsing warnings, choose whether to let users ignore warnings and proceed to malicious sites.
  9. For Password alert, choose an option:
    • No password protection warning—Password reuse is never detected.
    • Trigger on password reuse—Password reuse is detected if users reuse their password on a non-whitelisted website.
    • Trigger on password reuse on phishing page—Password reuse is detected if users reuse their password on a phishing website that appears on the Safe Browsing blocklist.
  10. Click Save.
Windows
Applies to Windows users who sign in to a managed account on Chrome Browser.
Computers must be joined to a domain using Microsoft® Active Directory® to set the following policies:
  • Password change URL
  • Sign-in URLs
  • Whitelisted domains

Using Group Policy

In your Microsoft Windows Group Policy Management Editor (Computer or User Configuration folder):

  1. Go to Policies and then Administrative Templates and then Google and then Google Chrome.
  2. Turn on Enable Safe Browsing.
    Tip: If you don’t see the policy, download the latest policy template.
    Leaving this policy Not configured uses the Unset behavior described above.
  3. Enable Configure the list of domains on which Safe Browsing will not trigger warnings.
    Leaving this policy Not configured uses the Unset behavior described above.
  4. Add the domains where users are allowed to reuse passwords.
  5. Enable Password protection warning trigger.
    Leaving this policy Not configured uses the Unset behavior described above.
  6. Set an option:
    • Password protection warning is off—Password reuse is never detected.
    • Password protection warning is triggered by password reuse—Password reuse is detected if users reuse their password on a non-whitelisted website.
    • Password protection warning is triggered by password reuse on phishing page—Password reuse is detected if users reuse their password on a website that appears on the Safe Browsing list.
  7. Enable Configure the change password URL.
    Leaving this policy Not configured uses the Unset behavior described above.
  8. Add the URL of the webpage where you want users to change their password.
  9. Enable Configure the list of enterprise login URLs where password protection service should capture fingerprint of password.
    Leaving this policy Not configured uses the Unset behavior described above.
  10. Add the URLs of the webpages where users usually sign in to Chrome Browser. 
  11. Deploy the update to your users.
Mac
Applies to Mac users who sign in to a managed account on Chrome Browser.
In your Chrome configuration profile, add or update the following keys. Then, deploy the change to your users. 
  • Set the <SafeBrowsingEnabled> key to true.
  • Add the domains for which you want to turn off Safe Browsing to the <SafeBrowsingWhitelistDomains>  key.
  • Set the <PasswordProtectionWarningTrigger> key to <integer>value</integer>, where <value> is 0, 1, or 2.
  • Add the URL of the webpage where you want users to change their password to the <PasswordProtectionChangePasswordURL> key.
  • Add the URLs of the webpages where users usually sign in to Chrome Browser to the <PasswordProtectionLoginURLs> key. 

The example shows how to:

  • Turn on Safe Browsing to help identify dangerous websites.
  • Specify webpages where users usually enter their password.
  • Whitelist domains that aren’t checked for password reuse.
  • Detect password reuse on non-whitelisted websites.
  • Set the webpage where users are prompted to change their password.
<key>SafeBrowsingEnabled</key>
<dict>
   <true/>
</dict>
<key>PasswordProtectionWarningTrigger</key>
<dict>
   <integer>1</integer>
</dict>
<key>PasswordProtectionChangePasswordURL</key>
<dict>
   <string>https://mydomain.com/change_password.html</string>
</dict>
<key>PasswordProtectionLoginURLs</key>
<dict>
<array>
  <string>https://mydomain.com/login.html</string>
  <string>https://login.mydomain.com</string>
</array>
</dict>
<key>SafeBrowsingWhitelistDomains</key>
<dict>
<array>
  <string>mydomain.com</string>
  <string>myuniversity.edu</string>
</array>
</dict>
Linux
Applies to Linux users who sign in to a managed account on Chrome Browser.

Using your preferred JSON file editor:

  1. Go to your /etc/opt/chrome/policies/managed folder.
  2. Create or update a JSON file.
  3. Set SafeBrowsingEnabled to 1.
  4. Set PasswordProtectionWarningTrigger to 0, 1, or 2.
  5. Enter URLs as needed.
    • In PasswordProtectionChangePasswordURL, add the URL of the webpage where you want users to change their password.
    • In PasswordProtectionLoginURLs, add the URLs of the webpages where users usually sign in to Chrome Browser.
    • In SafeBrowsingWhitelistDomains, add the domains for which you want to turn off Safe Browsing.
  6. Deploy the update to your users. 

The example shows how to:

  • Turn on Safe Browsing to help identify dangerous websites.
  • Specify webpages where users usually enter their password.
  • Whitelist domains that aren’t checked for password reuse.
  • Detect password reuse on non-whitelisted websites.
  • Set the webpage where users are prompted to change their password.

{
  "SafeBrowsingEnabled": 1
}
{
  "PasswordProtectionWarningTrigger": 1
}
{
   "PasswordProtectionChangePasswordURL": "https://mydomain.com/change_password.html" 
}
{
    "PasswordProtectionLoginURLs": ["https://mydomain.com/login.html", "https://login.mydomain.com"]
}
{
    "SafeBrowsingWhitelistDomains": ["mydomain.com", "myuniversity.edu"]
}

Step 3: Set up password monitoring

You can use the Chrome Reporting Extension to view log information about Chrome Browser usage. Search for the following events to find information about passwords that users changed or reused.

  • onPolicySpecifiedPasswordChanged—Lets you know if users change their password. Only available for G Suite users.
  • onPolicySpecifiedPasswordReuseDetected—If users reuse their password, you can see:
    • Who reused their password.
    • URL where they reused the password.
    • Whether the website appears on the Safe Browsing list.

Note: The Chrome Reporting Extension does not monitor passwords if users are in incognito mode.

Was this helpful?
How can we improve it?