Password Alert: official Google Chrome extension to protect against phishing

Martin Brinkmann
Apr 29, 2015
Updated • May 1, 2015
Google Chrome

Google has just released Password Alert, a browser extension for the company's Chrome browser that helps protect against phishing attacks targeting Google accounts.

Phishing, attacks aimed at stealing information such as login data or credit card information from Internet users, is a huge problem on the Internet.

Companies like Google have added security features to their services to improve the overall protection of accounts and make it harder for attackers to steal and use account related information.

Those methods are optional most of the time though. You can enable two-step authentication for instance for your Google account which adds another layer of protection during sign in.

Password Alert is another attempt to improve protection against phishing attacks. The extension warns users who have it installed if they have entered login related data on fake Google sign-in pages.

This is done by scanning pages with Google sign-in forms to find out if they are legitimate or not. One way of finding that out is whether you are entering the data on or a third-party site.

If the latter is the case, the warning is displayed.

password alert google

If you do enter the password and proceeded with the sign in, you get a notification that informs you that your password was exposed on a non-Google login page.

Google recommends to reset the password in this case to keep the account secure. There is an option to do so right when the prompt is displayed. Alternatively, you can select to ignore the warning this time which may be useful if the service is legitimate.

To get started, you need to sign in to your Google account after installing the extension. Password Alert saves a hash of the file which it then compares to passwords that you enter on all sites that you sign in but on

This is done to find out if the Google account password was entered. If that is the case, the warning is displayed.

Note: If you use the same password on multiple accounts you will get the warning even if you sign in with a non-Google account.

Password Alert works for home users and Google Apps for Work users. The Google Apps administrator needs to deploy Password Alert across domains using Chrome policies though before it becomes available.

To use Password Alert, the password needs to have a length of at least eight characters.

Google Chrome ships with Safe Browsing which blocks known phishing sites in the browser. Password Alert adds another level of protection to Chrome as it informs you about potential attacks even if the phishing site you just visited is not in the Safe Browsing database. This is usually the case when it is too new and has not yet been reported or analyzed.


There are other ways to make sure you enter passwords only on the right sites. A password manager for instance can ensure that as it will fill out login forms only on the right site.

You may also be able to detect phishing attacks by checking urls before you start to enter any data on sites. While that may not be 100% accurate as there are attack forms such as hacked sites, it is usually a good indicator.

If you are a Chrome user and use Google services regularly, then you may find Password Alert useful as an extra layer of protection. (via Caschy)

Update: It took security researches less than a day to come up with a method to bypass the protection that Password Alert provides.

software image
Author Rating
3 based on 1 votes
Software Name
Password Alert
Landing Page

Previous Post: «
Next Post: «


  1. DVD Rambo said on May 1, 2015 at 2:42 pm

    Version 1.4 was released that patches a vulnerability in version 1.2 that removed the helpful warning after 5 ms, so you never see it. If you installed Password Alert already, check the version that you have in Chrome and update if needed.

    1. DVD Rambo said on May 1, 2015 at 7:18 pm

      Version 1.4 was hacked with only three lines of code, and quickly. I’m deleting this extension as it appears to be of no value at this time.

  2. Kervin Vergara said on April 30, 2015 at 4:28 pm

    Greetings! Why I don’t see the blog images?

    1. Martin Brinkmann said on April 30, 2015 at 5:24 pm

      If you are using HTTPS Everywhere, turn off Ghacks with a click on its icon.

  3. Donetta said on April 30, 2015 at 12:18 am

    Look, for some reason I forgot my password to my Facebook account. And it can’t send me a code with out it. Please help!

  4. Bobby Phoenix said on April 29, 2015 at 2:42 pm

    Am I missing where the link is to the extension?

    1. Martin Brinkmann said on April 29, 2015 at 2:52 pm

      In the summary box after the article.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.