Google has released a free Chrome extension that warns Gmail users when they type their password into a phishing site and it's got new tools to protect the enterprise too.
Remember the five million Gmail passwords that were dumped online in September last year? The usernames and passwords were from real Google accounts, but as Google later explained, no one had hacked Google. Rather, the credentials were gleaned by malware or phishing attacks.
Google on Wednesday released a Chrome extension that could help combat phishing threats as they occur. Called Password Alert, it’s available for both Gmail users and Google for Work and Drive for Work customers.
The Chrome extension, available on the Chrome Web Store, will warn Chrome users if they attempt to type their Gmail or Google Account password on to a phishing site and prompt them to reset their password. It will also warn them if they attempt to use their Google password on a legitimate service, like Facebook. It won’t prevent them from re-using their passwords, but will remind them that they're doing so by requiring the user to make an exception for each service that has the same password.
Due to the sheer number of Gmail users, it could prevent millions of accounts being compromised by phishing. According to Google, two percent of messages to Gmail are on the hunt for passwords and it points to research showing that the most effective phishing attacks can have a 45 percent success rate.
So how does Password Alert work? Once the extension is installed, it will open a new tab in the browser and prompt the user to type in their Gmail password. The extension doesn’t capture the password itself but rather stores in Chrome a “salted reduced-bit thumbnail” of the password.
“It then compares this thumbnail to each password you enter in any website other than accounts.google.com (or, for Google for Work domains, websites whitelisted by the administrator),” Google notes on its support page.
The method is similar to how Facebook checks password dumps on the internet when deciding which account holders it wants to force a password change. The practice, revealed after Adobe's password leak, acknowledges the frowned-upon habit of reusing passwords. Importantly, since Facebook only searches for a matching hash of a given password, the company doesn't know the actual password.
This article is brought to you by Enex TestLab, content directors for CSO Australia.