The Google Security Team announced a free Chrome browser extension called Password Alert that complains loudly if you ever type your Google password into a non-Google website. The extension has 2 purposes: protect you from falling victim to some phishing attacks, and prevent you from duplicating your Google password on other sites.
Phishing attacks are those emails you get from criminals disguised as real emails from real companies. They ask you to click on a link that takes you to a criminal website, which in turn asks you for your precious login and password. You think you are logging into a real site, but you are really giving your credentials to the criminals:
This is a common and dangerous trap: the most effective phishing attacks can succeed 45 percent of the time, nearly 2 percent of messages to Gmail are designed to trick people into giving up their passwords, and various services across the web send millions upon millions of phishing emails, every day.
The extension only works on Google Chrome browsers, not FireFox, Internet Explorer, Safari, or Opera. It works by storing a hash of your Google password locally. Whenever you type any password into any website, it will calculate that hash and compare it to the locally stored Google password hash. If there’s a match, you’ve just entered your Google password onto a non-Google site. Bad policy at best, phishing attack victim at worst.
This will not prevent phishing attacks against non-Google sites. Your banking passwords, for example, are no less vulnerable.
This is a pretty good idea for extensive users of Google services. Those users inherently risk using their main email (Gmail) password to access other non-main-email sites. If you use Gmail and other Google services, I would definitely install this free extension to your Chrome browser.
Of course you should never rely on these sort of tools. Don’t go clicking on every email link because you think this plugin will always protect you. In fact, less than 24 hours later some security researchers devised a way to remove the warning screen before it could even be displayed. So you’ll need at least version 1.4 of Password Alert. Who knows what other ways will be conjured up to bypass it, though. I’m sure the criminal phishers won’t just give up.
Those of us who have a single good password for email and all other passwords locked up in a password manager, as recommended in my eBook Your Password Sucks, won’t receive much benefit – our Google password will be in the password manager which already autofills the login data based on the website address and which already helps us not duplicate any passwords.