Google鈥檚 new Password Alert tool works to prevent phishing attacks
Password Alert, an extension for the Chrome Web browser, will let you know if you've typed your Google password into a non-Google site. Password Alert will then prompt you to change your password so that it doesn't fall into the hands of thieves.
Password Alert, an extension for the Chrome Web browser, will let you know if you've typed your Google password into a non-Google site. Password Alert will then prompt you to change your password so that it doesn't fall into the hands of thieves.
Security experts have established all sorts of best practices for keeping online passwords secure: pick a string of characters that鈥檚 not easy to guess, don鈥檛 use passwords based on dictionary words, don鈥檛 write your passwords down, don鈥檛 reuse passwords across different sites 鈥 the list goes on. But most people simply don鈥檛 have the mental bandwidth to remember dozens of different passwords for the different sites they use, and as password management聽tools such as LastPass and 1Password haven鈥檛 caught on widely, many of us reuse the same password on many different web sites.
But by recycling passwords, we鈥檙e making ourselves easier prey for 鈥減hishing鈥 attacks. A phishing attack occurs when a bogus email or Web site tricks us into giving up our username and password by posing as a service we use everyday. If you鈥檝e ever gotten an email purporting to be from eBay or PayPal, asking that you log in to address a vaguely defined problem with your account, it was probably a phishing attack.
On Wednesday Google released Password Alert, an extension for the Chrome Web browser that will help defend against phishing attacks by saving careless Internet users from themselves. Password Alert will let you know if you type your Google account password into a non-Google site, and will prompt you to change your password immediately if that happens.
If you鈥檙e a Gmail user, your Google password is particularly important, because a hacker can gain access to most of your other accounts if he or she gains access to your email. In most cases, it鈥檚 as simple as clicking the 鈥淔orgot your password?鈥 link on a login page. The site will send a reset password to your email account, which the hacker can then intercept. Password Alert will give you a heads-up that you鈥檝e typed your password into an unsafe site, giving you time to change it before the bad guys do.
Password Alert also automatically checks the code of sites you鈥檙e visiting so it can determine whether a particular page is masquerading as a Google login page. If it notices one, it鈥檒l warn you so you don鈥檛 get tricked into sharing your credentials.
Password Alert stores your Google password through what鈥檚 called a hash: a combination of your password and an additional string of characters that allows the sensitive data to be stored securely. That allows it to check the passwords you enter on different web sites against the hashed password in its database, and to alert you if it notices that you鈥檝e entered your Google password on a non-Google site.