Password Alert: official Google Chrome extension to protect against phishing
Google has just released Password Alert, a browser extension for the company's Chrome browser that helps protect against phishing attacks targeting Google accounts.
Phishing, attacks aimed at stealing information such as login data or credit card information from Internet users, is a huge problem on the Internet.
Companies like Google have added security features to their services to improve the overall protection of accounts and make it harder for attackers to steal and use account related information.
Those methods are optional most of the time though. You can enable two-step authentication for instance for your Google account which adds another layer of protection during sign in.
Password Alert is another attempt to improve protection against phishing attacks. The extension warns users who have it installed if they have entered login related data on fake Google sign-in pages.
This is done by scanning pages with Google sign-in forms to find out if they are legitimate or not. One way of finding that out is whether you are entering the data on accounts.google.com or a third-party site.
If the latter is the case, the warning is displayed.
If you do enter the password and proceeded with the sign in, you get a notification that informs you that your password was exposed on a non-Google login page.
Google recommends to reset the password in this case to keep the account secure. There is an option to do so right when the prompt is displayed. Alternatively, you can select to ignore the warning this time which may be useful if the service is legitimate.
To get started, you need to sign in to your Google account after installing the extension. Password Alert saves a hash of the file which it then compares to passwords that you enter on all sites that you sign in but on accounts.google.com.
This is done to find out if the Google account password was entered. If that is the case, the warning is displayed.
Note: If you use the same password on multiple accounts you will get the warning even if you sign in with a non-Google account.
Password Alert works for home users and Google Apps for Work users. The Google Apps administrator needs to deploy Password Alert across domains using Chrome policies though before it becomes available.
To use Password Alert, the password needs to have a length of at least eight characters.
Google Chrome ships with Safe Browsing which blocks known phishing sites in the browser. Password Alert adds another level of protection to Chrome as it informs you about potential attacks even if the phishing site you just visited is not in the Safe Browsing database. This is usually the case when it is too new and has not yet been reported or analyzed.
There are other ways to make sure you enter passwords only on the right sites. A password manager for instance can ensure that as it will fill out login forms only on the right site.
You may also be able to detect phishing attacks by checking urls before you start to enter any data on sites. While that may not be 100% accurate as there are attack forms such as hacked sites, it is usually a good indicator.
If you are a Chrome user and use Google services regularly, then you may find Password Alert useful as an extra layer of protection. (via Caschy)
Update: It took security researches less than a day to come up with a method to bypass the protection that Password Alert provides.Advertisement