Prevent Phishing Scams With Chrome’s New Password Alert Extension

While Google does all it can to prevent passwords falling into the wrong hands by tightening security on its end by hiring engineers, removing bugs and viruses, it doesn’t stop users voluntarily but accidentally revealing their passwords on webpages made to look like the Google login site. At least now users of its Chrome browser will be able to protect themselves by using a new and helpful extension. 

The free Password Alert extension was released this week in an attempt to rescue people from the common and problematic phishing sites that masquerade as an official login page in order to steal passwords. After installing the Password Alert extension, users will be alerted everytime they inadvertently reveal their login details on a page that is made to look like the official Gmail login site, and they’ll be given a chance to quickly reset their Gmail password before hackers can use the information. For those who work in corporations, a business’ incident response team can be automatically alerted by the software. 

Drew Hintz, security engineer at Google, says that the security industry now expects people to know when they are faced with a real login page versus a fake login page, but that is an unreasonable demand. The Password Alert extension helps users to make the decision about whether they have just typed their password into an official page or not. 
Hintz also talks of how Google has battled phishing for years and has seen first hand through Google’s own tests that password phishing is a real threat that can’t be patched. Google has been using its own version of the new Password Alert extension on its own systems for the last three years and it has proved so successful that it is now being made available to all Chrome users. 

In addition to phishing sites, Password Alert also helps to curb the problem of users employing the same password for lots of different sites, which is usually thought to be beyond the control of internet services. If you use another site with the same password as your Gmail account then the other site’s security overrides Google’s expensive technology. It is known by hackers that passwords obtained for one site can often work across a host of other sites too. However, the Password Alert extension will trigger the same alert as with a phishing site when a user tries to reuse their Gmail password with another web service. This is likely to prevent people from using the same password for accounts with different services. 

Phishing has always been a big problem on the internet but it is still one of most serious and difficult to beat problems in internet security. Information obtained by phishing can be the starting point for large organised crime from the theft of large amounts of credit card data to sophisticated widespread and targeted attacks. 2% of all the Gmail emails that Google sees are phishing attempts and it estimated that 45% of the most deceiving emails are enough to trick users into divulging their details. According to a Verizon report, targeted phishing campaigns made against a business or agency can take just 80 seconds to con a user and obtain a point of compromise. 

Currently, when the Chrome extension is installed, it asks users to login to their Gmail account. It then locally records a cryptographically hashed version of the password on the users computer which lets Password Alert check the password against those used on other sites, but in theory is meaningless to anyone who can access it. The extension does not store any information on Google’s servers, despite the permissions it asks for on installation which may worry some users. 
Future versions of the Password Alert Chrome extension will allow users the opportunity to protect passwords used for sites other than Gmail, for example their banking login details and those used for work sites too.  

Google already implements measures to protect its users passwords such as Safe Browsing and two-factor authentication. Safe Browsing is also available for Firefox and Safari and creates alerts for phishing attempts on particular sites according to Google’s crawls of the web. The Password Alert extension can’t yet be easily installed onto other browsers but the open-source code is available on Github. 

With the new Password Alert Chrome extension we may start to see a reduction in phishing and better choices made by users when creating new passwords. Companies such as Google are taking it upon themselves to protect their users data rather than relying on the user to be more vigilant than may be possible.