Google launches Password Alert to protect against phishing scams

Google is adding even more protection to Gmail accounts with a new Chrome extension named Password Alert. The extension will notify users if they use their Gmail password anywhere other than Google’s accounts.

This should protect from phishing and maintain Gmail password security, meaning even if another site is hacked, the user’s password is safe. Google will also notify users if a website is using a faulty Google+ or Gmail log-in page before they enter the password.

google-password-alert

Password Alert begins tracking as soon as it is installed on Google Chrome, following every HTML page opened to see password checks, Google sign-in pages and other verifiers.

The extension is currently only available in Chrome and JavaScript needs to be enabled for it to work. It will also work with Google for Work system, where it contacts both the user and the administrator if an issue arises.

Some security experts worry that this system will focus too heavily on having different passwords on every service and not enough on actual security against phishing and social engineering. If a user sees too many of these pop-ups, they may simply start ignoring them, adding more security threats.

Google is confident that this should serve as a good measure to keep users in line with current security standards and make sure they don’t fall into phishing traps. It is available in the Chrome App Store today for free.

Industry analysis

Aaron Higbee, CTO and Co-Founder, PhishMe:

“When PhishMe first introduced data-entry simulations in 2008, most technology providers wrote off the attack vector. The thinking then was that phishing was only bad attachments or URLs that delivered drive-by malware.

"Now that there have been several high profile phishing attacks that used password-stealing phishing emails, it's been good to see technology vendors take the threat more seriously.

"Will this extension stop data-entry attacks? Absolutely not. The attacker will defeat this extension simply by appending a “0” or “A” to the password – thereby causing the hash to change. Technology defence is a cat and mouse game. PhishMe will continue working on changing behaviours to make more resilient humans.”

Fred Touchette, Manager of Security Research, AppRiver:

"I do believe that this is another good advancement in the realm of online security. Even though Google’s tool is currently limited to Chrome and Google passwords, the idea is a very good one.

"Phishing emails count on the network’s biggest weakness in order to be successful and that’s the human element. Because of that human nature or human error a great deal of phishing attacks are indeed effective. This has been proven time and time again, especially most recently where initial phishing attacks led to some of the biggest breaches in the history of cybercrime.

"One great thing about this tool is its availability as open source. An enterprise can now take this tool and customise it for their particular network. Companies can make this work specifically for them, looking out for domain passwords and only allowing them to be used on the proper whitelisted websites which would certainly help to keep the company and its employees safe.

"Along with proper continuing employee training on how to keep themselves and the company network safe, this concept could go a long way to keep everyone better protected from the misdirection of today’s phishing attacks."

Jared DeMott, Principal Security Researcher, Bromium:

"Password security is important. From choosing a strong password, to not reusing, there are many facets to password security. Probably the most important password initiative is the use of two factor authentication.

"Smaller safety checks as provided by this plugin could be useful as well. But passwords are only part of the game. A malicious website could still compromise your browser with a software exploit."