Google polishes Chrome security with Password Alert

Hang out the 'Gone Phishing' sign and relax

Google's seen way too much phishing, it seems, so the Chocolate Factory has pushed out a Chrome extension to catch attacks against accounts on Google domains.

Mountain View reckons two per cent of Gmail messages are phishing attempts, and a well-constructed attack can have a 47 per cent success rate.

Outlined here, the Password Alert extension will warn users if they type their Google password into a non-Google domain. There's also a Google for Work server which, among other things, would help alert sys admins if someone mounts a targeted attack campaign against their business.

If a user is successfully phished, Password Alert tells them they need to reset their password, as illustrated in the image at the top of the story.

The extension needs to remember a hashed version of the user's password (referred to as a fingerprint), but Google promises that it won't ever share the password (and, after all, storing it locally means there's no need for the extension to phone home).

As the extension's Chrome store page explains: “If you are using Password Alert in a Google Account, Password Alert does not send any data from your local computer.”

To run the extension, the user has to have Javascript enabled, and users have to do a little extra work if they want it to operate in incognito tabs:

“Password Alert doesn't protect Chrome Apps or Chrome Extensions, and it only protect incognito tabs if configured at chrome://extensions”.

For organisations using Google for Work, there's also a server deployment that lets sys admins receive alerts if a user gets phished (while still keeping the password fingerprint local to the user's machine).

The source code is at GitHub, and there's a pre-built copy of the server. The main dependency sysadmins need to pay attention to is the Google App Engine SDK for Python. ®

Biting the hand that feeds IT © 1998–2021