A blog post from Google said once the feature was enabled, a password that was entered on an Android device would be checked against a database of known compromised credentials.
The user would be alerted if the password that had been entered was compromised, Android team software engineer Arvind Kumar Sugumar wrote.
"The prompt can also take you to your Password Manager page, where you can do a comprehensive review of your saved passwords," he wrote. "Password Checkup on Android apps is available on Android 9 and above, for users of Autofill with Google."
Sugumar said the Autofill option was built to have access to user credentials only if user had saved the same to his/her Google account, or if the user was offered a new credential to be saved and then proceeded to accept this choice.
"When the user interacts with a credential by either filling it into a form or saving it for the first time, we use the same privacy preserving API that powers the feature in Chrome to check if the credential is part of the list of known compromised passwords tracked by Google," Sugumar wrote
"This implementation ensures that:
- "Only an encrypted hash of the credential leaves the device (the first 3.25 bytes of the hashed username are sent unencrypted to partition the database);
- "The server returns a list of encrypted hashes of known breached credentials that share the same prefix;
- "The actual determination of whether the credential has been breached happens locally on the user’s device; and
- "The server (Google) does not have access to the unencrypted hash of the user’s password and the client (User) does not have access to the list of unencrypted hashes of potentially breached credentials."