Monitor and prevent password reuse

Set up active password detection

For administrators who manage Chrome browser or ChromeOS devices for a business or school.

As an administrator, you can prompt users to change their password if they enter it on a website that you don’t allow.

Before you begin

  • If your organization uses the Password Alert extension, users might get 2 sets of alerts when they reuse their password. You can:
    • Turn off the extension so that you and your users no longer receive alerts from it.
    • To continue to receive alerts when Password Alert triggers without users getting them, set the Password Alert extension’s display_user_alert setting to false.
  • Know that when users enter or change their password, the password hash is stored as a preference in the directory:
    • Windows Vista and later—C:\Users\<user>\AppData\Local\Google\Chrome\User Data
    • Windows XP and earlier—C:\Documents and Settings\<user>\Local Settings\Application Data\Google\Chrome\User Data
    • macOS—~/Library/Application Support/Google/Chrome
    • Linux—~/.config/google-chrome
    • ChromeOS— /home/chronos

Step 1: Review policies

You can set one or more of the following policies:

Policy Description and settings

PasswordProtectionChangePasswordURL

Mandatory if you:

  • Have Google Workspace and single sign-on (SSO)
  • Don’t have Google Workspace

Specifies the URL of the webpage where users are redirected to change their password. Users are prompted to change their password if they reuse their password on an unauthorized website or are a victim of phishing.

When users change their password, a hashing algorithm scrambles it. The password hash is stored and used to detect password reuse.

Make sure that the change password URL that you specify follows these guidelines.

If you’re using a third-party identity provider (IdP), use the same change password URL that you specified in the Google Admin console.

Unset: Google Workspace users are redirected to their Google Account page to change their password.

Related topics

PasswordProtectionLoginURLs

Mandatory if you:

  • Have Google Workspace and SSO
  • Don’t have Google Workspace

Specifies the URLs of webpages where users usually enter their password to sign in to their account. If a sign-in process is split across 2 pages, add the URL of the webpage where users enter their password.

When users enter their password, its hash is stored and used to detect password reuse.

Make sure that the change password URL that you specify follows these guidelines.

If you’re using a third-party identity provider (IdP), include the sign-in page URL that you specified in the Admin console.

Unset: Chrome will only capture the password hash on the sign-in page to detect password reuse.

Related topics

PasswordProtectionWarningTrigger

Specifies whether password reuse is detected on websites.

Choose one of the options:

0—PasswordProtectionWarningOff—Password reuse is never detected.

1—PasswordProtectionWarningOnPasswordReuse—Password reuse is detected if users reuse their password on a website that you didn’t authorize. Users are prompted to change their password.

2—PasswordProtectionWarningOnPhishingReuse—If users reuse their password on a website that you didn’t authorize, Chrome sends the URL to Google Safe Browsing to determine its reputation. If the website contains phishing content, users are prompted to change their password.

Unset:
Defaults to 2—PasswordProtectionWarningOnPhishingReuse, as described above.

Related topics

SafeBrowsingAllowlistDomains

Specifies the domains that are exceptions to the URLs that appear on the Google Safe Browsing list. Authorized domains are not checked for:
  • Password reuse
  • Phishing and deceptive social engineering sites
  • Sites that host malware or unwanted software
  • Harmful downloads

Unset: URLs listed in PasswordProtectionLoginURLs and PasswordProtectionChangePasswordURL are automatically allowlisted for password reuse detection. 
All other URLs are checked for malware and phishing using Safe Browsing.

SafeBrowsingProtectionLevel

Specifies whether Safe Browsing is turned on and the mode it operates in.

Choose one of the options:

  • 0—Safe Browsing is never active.
  • 1—Safe Browsing is active in the standard mode.
  • 2—Safe Browsing is active in the enhanced mode. This mode provides better security, but requires sharing more browsing information with Google.

Unset: Safe Browsing is in standard mode and users can change the setting.

Related topics

Step 2: Set the policies

Click below for steps, based on how you want to manage these policies.

Admin console
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenSettings. The User & browser settings page opens by default.

    If you signed up for Chrome Enterprise Core, go to Menu and then Chrome browserand thenSettings.

  3. (Optional) To apply the setting only to some users and enrolled browsers, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how

    Group settings override organizational units. Learn more

  4. Go to Chrome Safe Browsing.
  5. Click Safe Browsing Protection:
    1. Configure safe browsing. For details, see Set Chrome policies for users or browsers.
    2. Click Save. Or, you might click Override for an organizational unit.

      To later restore the inherited value, click Inherit (or Unset for a group).

  6. Click Safe Browsing allowed domains:
    1. Enter the URLs where users can reuse passwords.
    2. Click Save. Or, you might click Override for an organizational unit.

      To later restore the inherited value, click Inherit (or Unset for a group).

  7. Click Disable bypassing Safe Browsing warnings:
    1. Choose whether to let users ignore warnings and proceed to malicious sites.
    2. Click Save. Or, you might click Override for an organizational unit.

      To later restore the inherited value, click Inherit (or Unset for a group).

  8. Click Password alert:
    1. Choose an option:
      • Trigger on password reuse on phishing page—Password reuse is detected if users reuse their password on a phishing website that appears on the Safe Browsing blocklist.
      • Trigger on password reuse—Password reuse is detected if users reuse their password on a non-allowlisted website.
    2. For URL for password change, enter the URL where users can change their password.
    3. For Login URLs, enter the URLs where users usually enter their password to sign in to their account.
    4. Click Save. Or, you might click Override for an organizational unit.

      To later restore the inherited value, click Inherit (or Unset for a group).

Windows
Applies to Windows users who sign in to a managed account on Chrome browser.
Computers must be joined to a domain using Microsoft Active Directory to set the Password change URL, Sign-in URLs, and Allowlisted domains policies.

Using Group Policy

In your Group Policy Management Editor (Computer or User Configuration folder):

  1. Go to Policies and then Administrative Templates and then Google and then Google Chrome.
  2. Turn on Safe Browsing Protection Level.
    Tip: If you don’t see the policy, download the latest policy template.
    Leaving this policy Not configured uses the Unset behavior described above.
  3. Set an option:
    • Safe Browsing is active in the standard mode
    • Safe Browsing is active in the enhanced mode
  4. Enable Configure the list of domains on which Safe Browsing will not trigger warnings.
    Leaving this policy Not configured uses the Unset behavior described above.
  5. Add the domains where users are allowed to reuse passwords.
  6. Enable Password protection warning trigger.
    Leaving this policy Not configured uses the Unset behavior described above.
  7. Set an option:
    • Password protection warning is triggered by password reuse—Password reuse is detected if users reuse their password on an unauthorized website.
    • Password protection warning is triggered by password reuse on phishing page—Password reuse is detected if users reuse their password on a website that appears on the Safe Browsing list.
  8. Enable Configure the change password URL.
    Leaving this policy Not configured uses the Unset behavior described above.
  9. Add the URL of the webpage where you want users to change their password.
  10. Enable Configure the list of enterprise login URLs where password protection service should capture fingerprint of password.
    Leaving this policy Not configured uses the Unset behavior described above.
  11. Add the URLs of the webpages where users usually sign in to Chrome browser. 
  12. Deploy the update to your users.
Mac
Applies to Mac users who sign in to a managed account on Chrome browser.
In your Chrome configuration profile, add or update the following keys. Then, deploy the change to your users. 
  • Set the <SafeBrowsingProtectionLevel> key to <integer>value</integer>, where <value> is 1 or 2.
  • Add the domains for which you want to turn off Safe Browsing to the <SafeBrowsingAllowlistDomains> key.
  • Set the <PasswordProtectionWarningTrigger> key to <integer>value</integer>, where <value> is 0, 1, or 2.
  • Add the URL of the webpage where you want users to change their password to the <PasswordProtectionChangePasswordURL> key.
  • Add the URLs of the webpages where users usually sign in to Chrome browser to the <PasswordProtectionLoginURLs> key. 

The example shows how to:

  • Turn on Safe Browsing to help identify dangerous websites.
  • Specify webpages where users usually enter their password.
  • Allow domains that aren’t checked for password reuse.
  • Detect password reuse on unauthorized websites.
  • Set the webpage where users are prompted to change their password.
<key>SafeBrowsingProtectionLevel</key>
<dict>
   <integer>1</integer>
</dict>
<key>PasswordProtectionWarningTrigger</key>
<dict>
   <integer>1</integer>
</dict>
<key>PasswordProtectionChangePasswordURL</key>
<dict>
   <string>https://mydomain.com/change_password.html</string>
</dict>
<key>PasswordProtectionLoginURLs</key>
<dict>
<array>
  <string>https://mydomain.com/login.html</string>
  <string>https://login.mydomain.com</string>
</array>
</dict>
<key>SafeBrowsingAllowlistDomains</key>
<dict>
<array>
  <string>mydomain.com</string>
  <string>myuniversity.edu</string>
</array>
</dict>
Linux
Applies to Linux users who sign in to a managed account on Chrome browser.

Using your preferred JSON file editor:

  1. Go to your /etc/opt/chrome/policies/managed folder.
  2. Create or update a JSON file.
  3. Set SafeBrowsingProtectionLevel to 1 or 2.
  4. Set PasswordProtectionWarningTrigger to 0, 1, or 2.
  5. Enter URLs as needed. In:
    • PasswordProtectionChangePasswordURL, add the URL of the webpage where you want users to change their password.
    • PasswordProtectionLoginURLs, add the URLs of the webpages where users usually sign in to Chrome browser.
    • SafeBrowsingAllowlistDomains, add the domains for which you want to turn off Safe Browsing.
  6. Deploy the update to your users. 

The example shows how to:

  • Turn on Safe Browsing to help identify dangerous websites.
  • Specify webpages where users usually enter their password.
  • Allow domains that aren’t checked for password reuse.
  • Detect password reuse on unauthorized websites.
  • Set the webpage where users are prompted to change their password.

{
  "SafeBrowsingProtectionLevel": 1
}
{
  "PasswordProtectionWarningTrigger": 1
}
{
   "PasswordProtectionChangePasswordURL": "https://mydomain.com/change_password.html" 
}
{
    "PasswordProtectionLoginURLs": ["https://mydomain.com/login.html", "https://login.mydomain.com"]
}
{
    "SafeBrowsingAllowlistDomains": ["mydomain.com", "myuniversity.edu"]
}

Step 3: Set up password monitoring

You can use the Chrome Reporting Extension to view log information about Chrome browser usage. For details, see Set up passive password monitoring.

Let users know how it works

When users reuse their password on dangerous websites or on websites that aren’t allowed by your organization, they see a warning and are directed to a URL where they can change their password.

  1. In Chrome browser or on a ChromeOS device, user signs in to an allowed domain.
    Chrome silently captures and locally stores the password hash. Chrome does not send data to Google.
  2. User enters their password on a disallowed webpage or a dangerous website. (They might use a different username.)
    Chrome notifies the user that they're using the same password and prompts them to change it.
  3. User clicks Reset password.
    They're redirected to the URL that you specified.
  4. User changes their password.
    Chrome silently captures and locally stores the new password hash.

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu