Google wants to stop successful password phishing attempts where many begin: In your web browser. Today, it released a free, open-source extension for its Chrome browser that warns users when they’re entering their Gmail, Google Account, or Google Apps password on a non-Google site.
Password Alert stores what Google calls a “scrambled” (encrypted, a salted reduced-bit thumbnail) version of the password, then flashes a security alert on screen if you type it into a site that isn’t one of Google’s.
Of course, this means that you actually have to install Password Alert and not engage in password worst-practices by reusing the same password you use for Google’s sites on multiple sites. It also doesn’t protect against using an easily guessed password like, well, “password.”
And finally, once it does detect that you’ve done a bad thing and entered your password into a bad site, there still may be no option other than to change it, before it’s potentially hijacked and misused.
But Google says in a blog post the new extension can help protect against “a common and dangerous trap: the most effective phishing attacks can succeed 45 percent of the time, nearly 2 percent of messages to Gmail are designed to trick people into giving up their passwords, and various services across the web send millions upon millions of phishing emails, every day.” So for even an experienced and wary user, it could backstop against accidental password entry slip-ups.
Password Alert can also be installed by Google for Work customers (including Google Apps and Drive for Work) for everyone in a managed domain, also sending alerts to the domain administrator.