Google is rolling out a new extension for Chrome that will monitor users’ logins and warn them if they enter a Google password on a non-Google page, a move designed to help protect users against phishing attacks.

The new extension, called Password Alert, works for both consumer accounts and Google Apps for Work accounts. Company officials say that almost two percent of all of the messages sent to Gmail every day are some form of phishing attempt. Gmail users are a key target for attackers because not only are there millions of them, but if an attacker is able to get a Gmail user’s password, he would have access to all of that victim’s Google data, including docs, photos and whatever else is stored with the company.

“Here’s how it works for consumer accounts. Once you’ve installed and initialized Password Alert, Chrome will remember a “scrambled” version of your Google Account password. It only remembers this information for security purposes and doesn’t share it with anyone. If you type your password into a site that isn’t a Google sign-in page, Password Alert will show you a notice like the one below. This alert will tell you that you’re at risk of being phished so you can update your password and protect yourself,” Drew Hintz and Justin Kosslyn of Google wrote in a post on the new extension. 

Google has released a number of security features and extensions in the last couple of years that are meant to help lock down not just Gmail but Google accounts in general. The company has made HTTPS connections the default method for connecting to Gmail, offers two-factor authentication for the service and also has a slew of warnings for users when they encounter dangerous sites or are wandering into shady neighborhoods online.

Hintz and Kosslyn said that it’s simple for businesses that use Google Apps for Work to install the Password Alert extension.

“Your administrator can install Password Alert for everyone in the domains they manage, and receive alerts when Password Alert detects a possible problem. This can help spot malicious attackers trying to break into employee accounts and also reduce password reuse,” they said.

The extension only is available for Chrome right now. Security experts say the Password Alert is a nice add-on for many users, but may not be for everyone.

“For the average user, I love this. This is one of those helpful safety widgets that any security professional can install on their family’s computers over Thanksgiving and know that it will solve a huge pile of common security problems. The idea that your browser can keep an eye on what you’re logging into and say, ‘Hold up! You just did something kinda crazy!’ is great,” said Tod Beardsley, security engineering manager at Rapid7.

“The downside, of course, is that your password security appears to depend entirely on the security of the browser and this plugin. Any exploitable flaw in either can expose your Google Accounts password to attackers. So, for people who already take their personal computing security seriously, this is not the plugin for them. After all, for many people, a compromise of their Google account is effectively a compromise of their entire online identity. If Gmail is your primary e-mail source, and I get control of that, I can ‘forget my password’ to pretty much any site you’re registered on and be you, there. Not to mention the usual private material that people tend to store in Gmail, Google Docs, their Android phones, etc.”

Categories: Web Security