Google yesterday released a free Chrome extension that preempts users from entering their Google account password into bogus websites and hampers the bad habit of reusing credentials.
"Once you've installed it, Password Alert will show you a warning if you type your Google password into a site that isn't a Google sign-in page," said Drew Hintz, a Chrome security engineer, and Justin Kosslyn, who is on the Google Ideas team, in a Wednesday blog. "This protects you from phishing attacks and also encourages you to use different passwords for different sites, a security best practice."
Password Alert came out of Ideas, Google's New York City-based think tank.
Hintz and Kosslyn touted the add-on as a defense as both protection against phishing attacks and a way to push users into discarding their password reuse bad habits. Password Alert uses the same mechanics to accomplish both.
Once installed and activated, the add-on will display an alert any time users try to use their Google account password other than on accounts.google.com, the consumer log-on address, or a domain whitelisted by a business's IT administrator for Google for Work.
Those restrictions will deter entering the password on a fake website and reusing the Google account password on any other site.
In tests by Computerworld, Password Alert interrupted a log-on with a Google account password as soon as the final character was typed, but before the Enter key was pressed or a Submit button clicked, signaling that the extension proactively disrupts the process before the information is sent to the phony or unauthorized site.
That seemed to contradict the displayed dire warning, which urged users to "immediately reset your password to keep your Gmail account secure." If Password Reset does intercept the password before it's sent, as seems the case, there would be no reason to reset that password.
Although Google made much of the add-on's ability to block users from giving up their passwords to phishing sites, in practical terms it actually nags far more often about the Google account password's reuse: Phishing attacks are rare, according to research, compared to the habit of using one (or a few) passwords over and over for different sites and services.
Password Alert's nagging will either put a stop to that -- requiring users to practice better security by changing passwords on non-Google sign-ins -- or lead to frustration from seeing the alert, which could make the stubbornly self-destructive yank it from Chrome.
Users can mute the alert on any given website or conduct a one-time click-through that ignores the warning, however.
Google, skittish about privacy issues, preemptively denied that Password Alert was a "keylogger," a label for malware that hackers use to capture passwords. "Password Alert doesn't save keystrokes to disk, and it doesn't send any keystrokes to any remote system," Google stated in a FAQ.
Instead, the add-on grabs the Google account password, encrypts it, then saves a partial "thumbnail" of the result to Chrome's local storage on the device. Later, Password Alert compares that thumbnail to the passwords entered on other sites: If they match, the warning flag goes up.
While Password Alert is optional at this point, Google could easily roll the functionality into the browser down the line. The Mountain View, Calif., company has done that before, most recently this year when it overhauled Chrome's bookmarks manager about a year after first offering the new design in an add-on.
Password Alert can be downloaded from the Chrome Web Store and installed into the browser on Windows, OS X and Linux.