Using an email address/username and password is one of the most common ways to access online accounts, but you'll be surprised how many pages are actually designed to steal your passwords. What may look like a standard innocuous login page may in fact be designed to steal your Google credentials. And since these thieves are getting smarter by the day, you'll need more than your wits about you to keep you safe.
That's why Google has designed a new Chrome extension called Password Alert that will warn you when you sign in to pages that are not run by Google. Password Alert does this by checking the HTML of each page you visit to see if it’s impersonating a Google sign-in page.
Let's take a look at how the extension works.
Foil Those Phishing Attacks with the Password Alert Extension for Chrome
As with all Chrome extensions, you can install Password Alert from the Chrome Web Store for free.
You must then sign into one of Google's services for the extension to get activated and start monitoring your future logins.
The next time you sign in to a non Google account with your Google credentials, you will be asked to either reset your password or ignore the alert for that particular website. You will only get this alert the first time you use the password for other accounts. You can of course ignore it if you are confident of the website's genuineness.
Apart from giving you a phisihing warning, it will also remind you to never re-use your Google password on other websites.
Password Alert doesn’t store your password or keystrokes. Instead, it stores a secure thumbnail of it. It will compare this thumbnail against a thumbnail of your most recent keystrokes within Chrome to identify discrepancies.
The Password Alert Extension also works for Google for Work accounts including Google Apps and Drive for Work.
WHAT PASSWORD ALERT EXTENSION DOES
- Alerts you when you you sign into an non Google account with your Google credentials.
- Prevents you from reusing your Google password on other websites.
Apart from Password Alert, Google also recommends that you use two step verification and/or a Security Key to help prevent password phishing.
Password Alert Extension - What's Good and What's Not
Password Alert only maintains a scrambled version of your password, so your account credentials cannot be compromised.
It warns you when you are reusing your Google password for multiple accounts.
It would have been better if this came baked in with the browser instead of a separate extension.
It cannot tell you beforehand if you're on a phishing page. Only after you enter your password will you get the alert. This is probably better than never knowing at all I suppose.
The extension appears to be easily bypassable as demonstrated by IT security consultant Paul Moore who was able to bypass the 1.4 version of the extension.
Need extensions for other browsers as well.
With online phishing attacks becoming smarter by the day, it wouldn't hurt to add one more level of protection by way of Password Alert, but its apparent vulnerability makes us wonder if its worth it.
Leave a Reply