Google Announces "Password Alert" To Protect Against Phishing Attacks

HughPickens.com writes: Google has announced Password Alert, a free, open-source Chrome extension that protects your Google Accounts from phishing attacks. Once you've installed it, Password Alert will show a warning if you type your Google password into a site that isn't a Google sign-in page. This protects you from phishing attacks and also encourages you to use different passwords for different sites, a security best practice. Once you've installed and initialized Password Alert, Chrome will remember a "scrambled" version of your Google Account password. It only remembers this information for security purposes and doesn't share it with anyone. If you type your password into a site that isn't a Google sign-in page, an alert will tell you that you're at risk of being phished so you can update your password and protect yourself.

Re:Wait..

Because telling you as you're typing your password into a phishing page is already too late. Javascript key logging anyone?

"scrambled" version

[NotInHere]

Can you please stop with this plebs speak? This is a site for nerds, not for non-technical people. Say "hash" when you mean "hash". I mean is researching actual technical info so hard? For everyone not wanting to click links: its comparing the first 37 bits of the hash, using the SHA-1 hash mechanism. And yes its salted.

Re:"scrambled" version

[xxxJonBoyxxx]

>> So basically, Google is giving you access to their hash, salt, and saying "Enjoy unlimited cracking attempts...

Not exactly. The 37-bit version is just less than 25% of the full 160-bit SHA-1 so, as the source mentions (https://raw.githubusercontent.com/google/password-alert/master/SECURITY.md) the intent is to keep enough of the password to tell when the same password has been tried twice, but not enough of the hash to allow someone to authoritatively crack it. (I hope - haven't seen the proof of 37-is-the-right-number yet.)

This isn't the first time someone's used hashes with high collision rates to see if the same passwords are being tried without actually storing enough of a hash to flag the password. See this article for a different example (trying to tell badly configured clients from brute forcing attempts): http://www.filetransferconsult...

Re:So like the cops...

[swillden]

So like the cops... it shows up only after the crime has been committed, and only protects some of the population (Google passwords) and not the rest of the population (e.g. your banking password isn't protected, because it's not a Google site).

Seems slightly less than useful.

I disagree.

If you use Gmail as your primary e-mail then your Google password is the crown jewel of your online identity, since every other site out there (including your bank) uses e-mail as the password reset channel. Sure it might be nice if the tool were more general-purpose (though that would require changing the hashing strategy, which intentionally uses relatively few bits as a security measure to protect against brute force), but if you can protect only one password, your e-mail password is the one.

For people who use not just Gmail but lots of Google services, it's even more critical. I store lots of important stuff in Drive, have my phone report my exact location, have my whole address book synced, etc., etc. It doesn't concern me to have so many eggs in one basket because I trust Google to maintain good security, but it can only be as good as my authentication. I use 2FA, but there's still value in being careful with such an important password.