Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Announces "Password Alert" To Protect Against Phishing Attacks

Posted by samzenpus on from the protect-ya-neck dept.

HughPickens.com writes: Google has announced Password Alert, a free, open-source Chrome extension that protects your Google Accounts from phishing attacks. Once you've installed it, Password Alert will show a warning if you type your Google password into a site that isn't a Google sign-in page. This protects you from phishing attacks and also encourages you to use different passwords for different sites, a security best practice. Once you've installed and initialized Password Alert, Chrome will remember a "scrambled" version of your Google Account password. It only remembers this information for security purposes and doesn't share it with anyone. If you type your password into a site that isn't a Google sign-in page, an alert will tell you that you're at risk of being phished so you can update your password and protect yourself.

7 of 76 comments (clear)

  1. Funny by ArcadeMan · · Score: 4, Funny

    Google warning us about other people trying to get our informations.

    --
    Get free satoshi (Bitcoin) and Dogecoins
  2. Re:Wait.. by Anonymous Coward · · Score: 5, Informative

    Because telling you as you're typing your password into a phishing page is already too late. Javascript key logging anyone?

  3. Chrome will remember a "scrambled" version by SoCalChris · · Score: 4, Insightful

    It's sad how far Slashdot has fallen.

    1. Re:Chrome will remember a "scrambled" version by Okian+Warrior · · Score: 4, Funny

      It's sad how far Slashdot has fallen.

      It's sad how smugly superior the tech nerds are here.

      It's sad that non-tech people waste their time visiting a site advertising itself as "news for nerds" and then complain when someone wants the site to cater to nerds.

      It's sad how entire families can be torn apart by something as simple as wild dogs.

    2. Re:Chrome will remember a "scrambled" version by amias · · Score: 4, Insightful

      hmm , how do i find passwords on this computer...

      lets start typing random strings into a password field until this plugin tells me which is the google password.

      yay , now i can log in to their google account first time !

      this is almost as silly as those things that validate your bank cards pin for online banking that let
      muggers force you to disclose your pin in a way that the banking system couldn't possibly no.

      i really hope this isn't going to be installed on mobile phones

      --
      [site]
  4. "scrambled" version by NotInHere · · Score: 5, Informative

    Can you please stop with this plebs speak? This is a site for nerds, not for non-technical people. Say "hash" when you mean "hash". I mean is researching actual technical info so hard? For everyone not wanting to click links: its comparing the first 37 bits of the hash, using the SHA-1 hash mechanism. And yes its salted.

    1. Re:"scrambled" version by xxxJonBoyxxx · · Score: 4, Informative

      >> So basically, Google is giving you access to their hash, salt, and saying "Enjoy unlimited cracking attempts...

      Not exactly. The 37-bit version is just less than 25% of the full 160-bit SHA-1 so, as the source mentions (https://raw.githubusercontent.com/google/password-alert/master/SECURITY.md) the intent is to keep enough of the password to tell when the same password has been tried twice, but not enough of the hash to allow someone to authoritatively crack it. (I hope - haven't seen the proof of 37-is-the-right-number yet.)

      This isn't the first time someone's used hashes with high collision rates to see if the same passwords are being tried without actually storing enough of a hash to flag the password. See this article for a different example (trying to tell badly configured clients from brute forcing attempts): http://www.filetransferconsult...