Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Announces "Password Alert" To Protect Against Phishing Attacks

Posted by samzenpus on from the protect-ya-neck dept.

HughPickens.com writes: Google has announced Password Alert, a free, open-source Chrome extension that protects your Google Accounts from phishing attacks. Once you've installed it, Password Alert will show a warning if you type your Google password into a site that isn't a Google sign-in page. This protects you from phishing attacks and also encourages you to use different passwords for different sites, a security best practice. Once you've installed and initialized Password Alert, Chrome will remember a "scrambled" version of your Google Account password. It only remembers this information for security purposes and doesn't share it with anyone. If you type your password into a site that isn't a Google sign-in page, an alert will tell you that you're at risk of being phished so you can update your password and protect yourself.

3 of 76 comments (clear)

  1. Re:Put on the popcorn by vux984 · · Score: 3, Interesting

    The intersection of the set of people that care about security enough to install this extension, yet don't care enough to use unique passwords, is probably rather small

    Fair enough. Still...

    "Password Alert is also available to Google for Work customers, including Google Apps and Drive for Work. Your administrator can install Password Alert for everyone in the domains they manage, and receive alerts when Password Alert detects a possible problem."

    The intersection of administrators who might think its a good idea with end users that use the same password on other sites might be large enough to be at least a little bit fun.

    Yes, making this work for all password protected sites, rather than Google-only, would be nice. That would not only stop many phishing attempts, but would also discourage cross-site password reuse.

    Yeah, if it were integrated with something like password safe or password gorilla or keypass etc.

    Or I suppose it could be tied into the A/V products which already have anti-phishing extensions -- McAfee for example, already has a password safe and antiphishing ... seems almost a no-brainer for them to integrate them in this way. The password safe component could dump a list of hashes and domain names and if you try entering a password that matches the hash throw up an alert. And then maybe flag the page for A/V's phishing lists so if a page is generating alerts like crazy visitors it can be blacklisted -- preventing other users from even reaching the domain/phishing page.

  2. Re:Put on the popcorn by vux984 · · Score: 3, Interesting

    Your criticism amounts to "If it doesn't completely solve the problem for everybody its no good." and that is false.

    Yes some will switch to various simple password patterns t.password for twitter... f.password for facebook... or maybe fb.password... etc. That's still an improvement. Even simple patters require some effort to break.

    Some fraction will use a harder patterns that aren't immediately obvious. That's an improvement. Lets say my password is "stupidgdog" for google. Maybe your automated phishing tools will try stupidfdog on facebook... but maybe not.

    Some fraction will use a slightly harder pattern.

    Lets say I use stupidgHdog as my google password. My new pattern is still simple. its "stupid" + "first name of domain" + "next letter in alphabet capitalized" + "dog"

    With just one sample, are you really sure your automated phishing tools going to figure out that facebook is: stupidfGdog ? And twitter its stupidtUdog?

    And that's still pretty lazy as passwords go.

    Some smal fraction will take the hint and use much harder patterns. That will take several fished passwords for the user and probably some human eyes to figure out. This is an improvement.

    Lets say my google password is: C69.7Germanium what's my facebook password?

    Here... I give you twitter on this pattern too: N47.8Vanadium.
    With 2 samples passwords you've got enough of a pattern to try and brute force it... letter + 3 digits + element... 26* 1000 * 118... 2.6 million passwords to try.

    Very doable if its a targeted search on a particular user... but your probably not going to spend the time looking at each fished password and then write a script to do that specific search... for just one random user. Probably.

    And some fraction of people will switch to using a password safe or something, and thats an improvement too.

  3. Google is on to something here by dskoll · · Score: 3, Interesting

    Google is on to something, but the implementation is wrong. First of all, this facility should be built in to browsers, not added as an extension. Secondly, it needs to be generalized: Just as browsers currently ask "Would you like to save this username/password for www.somesite.example", they should also ask "Would you like to lock this username/password combination to www.somesite.example?" and offer the usual "Yes / No / Not now" choices.

    If you say "Yes", then the browser should alert you every time it sees that password on a different site.