Google has announced the release of a new browser extension designed to protect its users from phishing attacks.
Dubbed ‘Password Alert’, the free, open-source Chrome extension – the source code is available through GitHub – is designed to warn you if you stick your Google password where it doesn’t belong.
If you enter your Google credentials on a fake log-in page, the extension will display an alert, inviting you either to change your password immediately, hopefully before it can be used to compromise your account, or to take the potentially far more dangerous option of ignoring the message altogether:
Here's how it works for consumer accounts. Once you’ve installed and initialized Password Alert, Chrome will remember a “scrambled” version of your Google Account password. It only remembers this information for security purposes and doesn’t share it with anyone. If you type your password into a site that isn't a Google sign-in page, Password Alert will show you a notice.
The new extension also offers an additional feature for business users, allowing you to set it up to alert your incident response team automatically:
Password Alert is also available to Google for Work customers, including Google Apps and Drive for Work. Your administrator can install Password Alert for everyone in the domains they manage, and receive alerts when Password Alert detects a possible problem. This can help spot malicious attackers trying to break into employee accounts and also reduce password reuse.
The release of the new extension coincides with a number of recent reports that show how phishing remains a potent attack vector for cybercriminals looking to acquire access to both personal and business accounts and networks.
Google’s own findings suggest that:
- The most effective phishing campaigns achieve a 45% success rate.
- Almost 2% of all messages sent to Gmail accounts are designed to trick recipients into giving up their passwords.
- A large number of services across the web are pumping out millions of phishing emails each and every day.
Beyond phishing warnings, Password Alert will also help to keep you out of the habit of sharing passwords across multiple accounts.
With Password Alert installed, reusing your Google password somewhere else will trigger the same alert as a phishing attempt, because you’ll be putting your Google password into a non-Google site.
The extension is a handy tool, as long as you remember it’s a reactive measure that alerts you when you submit your Google password to the wrong site:
Each time you successfully sign in to your Google account, Password Alert has temporary access to your correct password and saves a salted reduced-bit thumbnail of your password to Chrome local storage. It then compares this thumbnail to each password you enter in any website other than accounts.google.com (or, for Google for Work domains, websites whitelisted by the administrator).
Another useful way to keep your passwords where they belong is to use a password manager.
These tools not only generate and securely store complex, random passwords for each site, they remember which passwords go with which site.
That’s proactively positive, because it makes it difficult to enter the right password on wrong page in the first place.
You can learn more about using a password manager in our How to Pick a Proper Password video:
→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.