The best IT security in the world is useless if a user mistakenly tries to log into a phony site they believe is legitimate. A simple mistype of a URL or a clever phishing attempt is often all it takes to lure some users into voluntarily giving up their credentials.
Google has come up with a new anti-phishing extension for Chrome called Password Alert it hopes can help fight against phishing. As the name suggests, the extension is designed to alert users if they’re about to (or already have) entered their Google account credentials into a non-Google property.
Upon installation, Password Alert will initialize itself the next time you enter your password into accounts.google.com. Each time you sign into a Google account, the extension saves a salted reduced-bit thumbnail of your password to Chrome local storage. This is then compared to each password you enter into any other website.
Although not explicitly expressed, the extension is also designed to help teach better password practices by encouraging users to not use the same password for multiple accounts.
Eran Feigenbaum, Google’s Director of Security for Google Apps for Work, said the company has been using a very similar tool internally the the past few years. He added that even Google staffers regularly fall for phishing attacks.
As of now, Password Alert only works with Google and Google for Work accounts. The good news, however, is that the code is open source so it can be implemented by other sites and services in the future.