Google Aims at Phishing with Password Alert

Phishing pages are tricky by nature: they look like standard login pages, but are actually faux sites run by people looking to receive and steal passwords. Google is taking steps to thwart this common and dangerous trap with its Password Alert service.

Password Alert is an open-source Chrome extension that Google and Google Apps for Work Accounts. Once you’ve installed it, it shows a warning if a user types her Google password into a site that isn’t a Google sign-in page. The idea is to protect from phishing attacks and also to encourage web denizens to use different passwords for different sites, a security best practice.

“The most effective phishing attacks can succeed 45% of the time, nearly 2% of messages to Gmail are designed to trick people into giving up their passwords, and various services across the web send millions upon millions of phishing emails, every day,” said Drew Hintz, security engineer and Justin Kosslyn from Google Ideas, in a blog post.

For consumer accounts, once Password Alert is installed and initialized, Chrome will remember a “scrambled” version of the Google Account password. So if a user types a password into a site that isn't a Google sign-in page, an alert pops up warning of being at-risk of being phished.

As for Google for Work, including Google Apps and Drive for Work, administrators can install Password Alert for everyone in the domains they manage, and receive alerts when Password Alert detects a possible problem.

“This can help spot malicious attackers trying to break into employee accounts and also reduce password reuse,” the Googlers said.

Google has been steadily beefing up its security measures, including expanding its Safe Browsing technology, offering tools like two-factor authentication and security keys, and rolling out encryption-by-default across its properties. The internet behemoth is not without work to do, of course, as the recent revelation of a major WHOIS privacy flaw that exposed nearly 300,000 domains registered via Google Apps to potential phishing attacks and identity theft efforts can attest.

What’s Hot on Infosecurity Magazine?