Google has unveiled a new Chrome extension aimed at thwarting phishing attacks.
The free, open-source extension, called Password Alert, will send a warning whenever you type your Google password into a website outside of the Google domain. The service is designed to protect against unauthenticated emails and harmful websites that pose as real services in order to lure you into inadvertently turning over your password to hackers.
The extension will store a scrambled version of your Google password that it will cross-check anytime you punch a password into an outside site, according to a blog post. If the password is a match, it will hit you with a notification prompting you to reset your password immediately. Since the password is encrypted, performing the check won’t actually reveal your password to the site.
For users of Google for Work, the company’s enterprise-focused platform, the administrator can require Password Alert across a domain and choose to also receive notifications when other users do.
Of course, the message will appear when you log into other legitimate sites too if you use the same password across multiple platforms. But, as web security gurus constantly stress, recycling passwords is a bad habit anyway since your accounts can fall like dominos if hackers do steal your password.
Still, for those who ignore that advice, there is an option to turn off the service for specific sites.
Phishing scams can slip through even the most sophisticated web security systems because they are able to trick web users into clicking on fake links or visiting fake websites.
Researchers found that the most effective phishing attacks are successful 45% of the time, according to a study cited in the blog post. Google says nearly 2% of the total emails sent to Gmail are scams like these, and some services send out millions of these emails every day.
Tod Beardsley, a security engineering manager with IT security firm Rapid7, said the plugin is a good way to step up security for most users, but it may not be for everyone.
“The downside, of course, is that your password security appears to depend entirely on the security of the browser and this plugin. Any exploitable flaw in either can expose your Google Accounts password to attackers,” Beardsley wrote in an email.
That said, Beardsley said he looked over the code for the extension available on GitHub and was unable to find any potential flaws.
“This is one of those helpful safety widgets that any security professional can install on their family’s computers,” Beardsley said. “The idea that your browser can keep an eye on what you’re logging into and say, ‘Hold up! You just did something kinda crazy!’ is great.'”
The revelation forced Google to release an updated version of the plugin, but in another tweet on Friday, Moore claimed that he had bypassed the newer version as well.