Set up active password detection

Chrome version 69 or later.

For administrators who manage Chrome Browser or Chrome devices for a business or school.

As an administrator, you can prompt users to change their password if they enter it on a website that you don’t allow.

Before you begin

  • If your organization uses the Password Alert extension, users might get 2 sets of alerts when they reuse their password. You can:
    • Turn off the extension so that you and your users no longer receive alerts from it.
    • To continue to receive alerts when Password Alert triggers without users getting them, set the Password Alert extension’s display_user_alert setting to false.
  • Know that when users enter or change their password, the password hash is stored as a preference in the directory:
    • Windows® Vista® and later—C:\Users\<user>\AppData\Local\Google\Chrome\User Data
    • Windows XP® and earlier—C:\Documents and Settings\<user>\Local Settings\Application Data\Google\Chrome\User Data
    • Mac® OS® X—~/Library/Application Support/Google/Chrome
    • Linux®~/.config/google-chrome
    • Chrome OS— /home/chronos

Step 1: Review policies

You can set one or more of the following policies:

Policy Description and settings

PasswordProtectionChangePasswordURL

Mandatory if you:

  • Have G Suite and single sign-on (SSO)
  • Don’t have G Suite

Specifies the URL of the webpage where users are redirected to change their password. Users are prompted to change their password if they reuse their password on an unauthorized website or are a victim of phishing.

When users change their password, a hashing algorithm scrambles it. The password hash is stored and used to detect password reuse.

Make sure that the change password URL that you specify follows these guidelines.

If you’re using a third-party identity provider (IdP), use the same change password URL that you specified in the Google Admin console.

Unset: G Suite users are redirected to their Google Account page to change their password.

Related topics

PasswordProtectionLoginURLs

Mandatory if you:

  • Have G Suite and SSO
  • Don’t have G Suite

Specifies the URLs of webpages where users usually enter their password to sign in to their account. If a sign-in process is split across 2 pages, add the URL of the webpage where users enter their password.

When users enter their password, its hash is stored and used to detect password reuse.

Make sure that the change password URL that you specify follows these guidelines.

If you’re using a third-party identity provider (IdP), include the sign-in page URL that you specified in the Admin console.

Unset: Chrome will only capture the password hash on the sign-in page to detect password reuse.

Related topics

PasswordProtectionWarningTrigger

Specifies whether password reuse is detected on websites.

Choose one of the options:

0—PasswordProtectionWarningOff—Password reuse is never detected.

1—PasswordProtectionWarningOnPasswordReuse—Password reuse is detected if users reuse their password on a website that you didn’t authorize. Users are prompted to change their password.

2—PasswordProtectionWarningOnPhishingReuse—If users reuse their password on a website that you didn’t authorize, Chrome sends the URL to Google Safe Browsing to determine its reputation. If the website contains phishing content, users are prompted to change their password.

Unset:
Defaults to 2—PasswordProtectionWarningOnPhishingReuse, as described above.

Related topics

SafeBrowsingEnabled

Enables the Safe Browsing feature.

If this policy is turned off, all safe browsing features are turned off, including password protection.

Unset: Safe Browsing is turned on. Users can change it.

Related topics

SafeBrowsingWhitelistDomains

Specifies the domains that are exceptions to the URLs that appear on the Google Safe Browsing list. Authorized domains are not checked for:
  • Password reuse
  • Phishing and deceptive social engineering sites
  • Sites that host malware or unwanted software
  • Harmful downloads

Unset: URLs listed in PasswordProtectionLoginURLs and PasswordProtectionChangePasswordURL are automatically whitelisted for password reuse detection. All other URLs are checked for Safe Browsing.

Step 2: Set the policies

Click below for steps, based on how you want to manage these policies.

Admin console
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome management.

    If you don't see Devices on the Home page, click More controls at the bottom.

  3. Click User & browser settings.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. Scroll to Chrome Safe Browsing.
  6. For Safe Browsing, select Always enable Safe Browsing.
  7. For Safe Browsing whitelisted domains, enter the URLs where users can reuse passwords.
  8. For Disable bypassing Safe Browsing warnings, choose whether to let users ignore warnings and proceed to malicious sites.
  9. For Password alert, choose an option:
    • Trigger on password reuse on phishing page—Password reuse is detected if users reuse their password on a phishing website that appears on the Safe Browsing blocklist.
    • Trigger on password reuse—Password reuse is detected if users reuse their password on a non-whitelisted website.
  10. For URL for password change, enter the URL where users can change their password.
  11. For Login URLs, enter the URLs where users usually enter their password to sign in to their account.
  12. Click Save.
Windows
Applies to Windows users who sign in to a managed account on Chrome Browser.
Computers must be joined to a domain using Microsoft® Active Directory® to set the Password change URL, Sign-in URLs, and Whitelisted domains policies.

Using Group Policy

In your Group Policy Management Editor (Computer or User Configuration folder):

  1. Go to Policies and then Administrative Templates and then Google and then Google Chrome.
  2. Turn on Enable Safe Browsing.
    Tip: If you don’t see the policy, download the latest policy template.
    Leaving this policy Not configured uses the Unset behavior described above.
  3. Enable Configure the list of domains on which Safe Browsing will not trigger warnings.
    Leaving this policy Not configured uses the Unset behavior described above.
  4. Add the domains where users are allowed to reuse passwords.
  5. Enable Password protection warning trigger.
    Leaving this policy Not configured uses the Unset behavior described above.
  6. Set an option:
    • Password protection warning is triggered by password reuse—Password reuse is detected if users reuse their password on an unauthorized website.
    • Password protection warning is triggered by password reuse on phishing page—Password reuse is detected if users reuse their password on a website that appears on the Safe Browsing list.
  7. Enable Configure the change password URL.
    Leaving this policy Not configured uses the Unset behavior described above.
  8. Add the URL of the webpage where you want users to change their password.
  9. Enable Configure the list of enterprise login URLs where password protection service should capture fingerprint of password.
    Leaving this policy Not configured uses the Unset behavior described above.
  10. Add the URLs of the webpages where users usually sign in to Chrome Browser. 
  11. Deploy the update to your users.
Mac
Applies to Mac users who sign in to a managed account on Chrome Browser.
In your Chrome configuration profile, add or update the following keys. Then, deploy the change to your users. 
  • Set the <SafeBrowsingEnabled> key to True.
  • Add the domains for which you want to turn off Safe Browsing to the <SafeBrowsingWhitelistDomains> key.
  • Set the <PasswordProtectionWarningTrigger> key to <integer>value</integer>, where <value> is 0, 1, or 2.
  • Add the URL of the webpage where you want users to change their password to the <PasswordProtectionChangePasswordURL> key.
  • Add the URLs of the webpages where users usually sign in to Chrome Browser to the <PasswordProtectionLoginURLs> key. 

The example shows how to:

  • Turn on Safe Browsing to help identify dangerous websites.
  • Specify webpages where users usually enter their password.
  • Allow domains that aren’t checked for password reuse.
  • Detect password reuse on unauthorized websites.
  • Set the webpage where users are prompted to change their password.
<key>SafeBrowsingEnabled</key>
<dict>
   <true/>
</dict>
<key>PasswordProtectionWarningTrigger</key>
<dict>
   <integer>1</integer>
</dict>
<key>PasswordProtectionChangePasswordURL</key>
<dict>
   <string>https://mydomain.com/change_password.html</string>
</dict>
<key>PasswordProtectionLoginURLs</key>
<dict>
<array>
  <string>https://mydomain.com/login.html</string>
  <string>https://login.mydomain.com</string>
</array>
</dict>
<key>SafeBrowsingWhitelistDomains</key>
<dict>
<array>
  <string>mydomain.com</string>
  <string>myuniversity.edu</string>
</array>
</dict>
Linux
Applies to Linux users who sign in to a managed account on Chrome Browser.

Using your preferred JSON file editor:

  1. Go to your /etc/opt/chrome/policies/managed folder.
  2. Create or update a JSON file.
  3. Set SafeBrowsingEnabled to 1.
  4. Set PasswordProtectionWarningTrigger to 0, 1, or 2.
  5. Enter URLs as needed. In:
    • PasswordProtectionChangePasswordURL, add the URL of the webpage where you want users to change their password.
    • PasswordProtectionLoginURLs, add the URLs of the webpages where users usually sign in to Chrome Browser.
    • SafeBrowsingWhitelistDomains, add the domains for which you want to turn off Safe Browsing.
  6. Deploy the update to your users. 

The example shows how to:

  • Turn on Safe Browsing to help identify dangerous websites.
  • Specify webpages where users usually enter their password.
  • Allow domains that aren’t checked for password reuse.
  • Detect password reuse on unauthorized websites.
  • Set the webpage where users are prompted to change their password.

{
  "SafeBrowsingEnabled": 1
}
{
  "PasswordProtectionWarningTrigger": 1
}
{
   "PasswordProtectionChangePasswordURL": "https://mydomain.com/change_password.html" 
}
{
    "PasswordProtectionLoginURLs": ["https://mydomain.com/login.html", "https://login.mydomain.com"]
}
{
    "SafeBrowsingWhitelistDomains": ["mydomain.com", "myuniversity.edu"]
}

Step 3: Set up password monitoring

You can use the Chrome Reporting Extension to view log information about Chrome Browser usage. For details, see Set up passive password monitoring.

Let users know how it works

When users reuse their password on dangerous websites or on websites that aren’t allowed by your organization, they see a warning and are directed to a URL where they can change their password.

  1. In Chrome Browser or on a device running Chrome OS, user signs in to an allowed domain.
    Chrome silently captures and locally stores the password hash. Chrome does not send data to Google.
  2. User enters their password on a disallowed webpage or a dangerous website. (They might use a different username.)
    Chrome notifies the user that they're using the same password and prompts them to change it.
  3. User clicks Reset password.
    They're redirected to the URL that you specified.
  4. User changes their password.
    Chrome silently captures and locally stores the new password hash.
Was this helpful?
How can we improve it?