No matter how sophisticated your security is, the biggest risk is always the same: users clicking the wrong links and submitting their passwords to the wrong websites. It's a tricky problem to solve, but Google has a new idea about how to fight it. Today, the company is unveiling a new Chrome extension called Password Alert, designed to serve as an early warning system against phishing attacks. "Phishing should be a real concern for everyone — journalists, activists, companies, or individuals," says Justin Kosslyn, a product manager at Google Ideas. "This is a useful and quiet line of defense against a real challenge."
The extension works by comparing a hashed version of your password to any string of characters you input to the browser. If it finds you've entered your Google password at a non-Google website, it will redirect you to a warning page, telling you something has gone wrong. (The user might also be using their Google password for more than one account, which would be a smaller security risk, but still a problem.) Since Password Alert only holds the hashed version of your password, it can perform the check without exposing your actual password to any extra risk. Anyone administering a Google for Work account can also make Password Alert mandatory across their domain. Any time an employee gets an alert, so will the administrator.
The biggest weakness is that Password Alert can only scan a password that's been successfully submitted, so the user will only be alerted after they've been successfully phished. (If it ran the check any earlier, it would be logging everything you typed into your computer, an even bigger security risk.) Still, even a late warning will give users time to change their passwords and lock down their accounts. For users with two-factor authentication, it should be easy to change the password before the attackers can make use of it.
Password Alert could also tighten security outside of Google accounts. The current extension is built to integrate with Google's password system, but the code is open source, so it should be easy to adapt the code to other systems. "We hope that the open-source community scales Password Alert to provide additional security to internet users," says Kosslyn. "Today's launch is just a starting point."