Google today released Password Alert, a free and open-source Chrome extension designed to protect Google and Google Apps for Work accounts against phishing attacks.
Password Alert warns users when they enter their Google passwords on any non-Google website. On one hand, the system alerts internauts when they enter their credentials on a phishing website designed to mimic a legitimate Google login page. On the other hand, the extension prevents the reuse of Google passwords for other accounts.
“If you use the same password on multiple accounts, and one of the accounts is compromised, attackers often try using the password for your other accounts to gain access with reused credentials,” Google explained.
When an alert is displayed, users are given the option to reset their password or ignore the warning.
Some users might be concerned that in order to detect phishing or password reuse the Chrome extension might save their password to the disk or send it to a remote system. However, Google says the application is not a keylogger. Password Alert has temporary access to users’ passwords every time they access their Google accounts. The extension saves a “salted reduced-bit thumbnail” of the password in the local Chrome storage and compares that scrambled version of the password with the one entered on other websites.
Password Alert is also recommended for organizations using Google Apps for Work. Administrators can install the extension for all the users in their domain and they receive alerts whenever a possible problem is detected. The Google Apps for Work version can be configured to allow the use of Google credentials on certain domains that are whitelisted by the administrator.
Enterprise users can also install Password Alert Server, a feature that allows them to audit alerts, send out email alerts, and force password resets.
Google provides a detailed guide on how to deploy, use and configure Password Alert. Administrators who want to use the tool will need Chrome App Management and the Google Admin SDK for deploying the extension and forcing password resets, the Google App Engine for hosting Password Alert Server, and access to GitHub in order to obtain the pre-built or source code application files.
For the time being, the application is not available as a Google-hosted solution; organizations must install it, run it, and maintain it on their own. However, companies interested in a Google-hosted solution provided through the Apps Marketplace can provide contact information and they will be contacted when the service becomes available.
“As our recent Threat Brief revealed, Google is by far the #1 target of phishing attacks. Developing a Chrome extension that protects users accessing their Google accounts will certainly help defend against the onslaught of phishing attacks targeting Google,” Webroot Security Intelligence Director, Grayson Milbourne, told SecurityWeek. “It would be great to see this same technology extended to other browsers and also to protect other major targets of phishing. While each company uses a different login technique, there is something to be learned from what Google has done with respect to protecting customers as they access their accounts.”
*Updated with comments from Grayson Milbourne