No matter how much Google does to harden its servers, hire the world’s best security engineers, and root out hackable bugs in its products, it can’t stop dummies like you and me from handing our Gmail passwords over to the first cybercriminal who slaps a Google logo on a fake login page. But now, for users of its Chrome browser at least, it’s trying a new method to protect our passwords from ourselves.
On Wednesday, Google released a new extension for Chrome it calls Password Alert, designed to deal with the stubborn problem of phishing sites that impersonate login pages to steal passwords. Any time you type your Gmail password into a login page that’s not an actual Google login, the new extension shows you an alert and gives you a chance to immediately reset your Gmail password before it can be used to compromise your account. For corporate users, the extension can even be configured to automatically alert a company’s incident response team.
“In the security industry we expect users to know when it’s ok to type their password. That accounts.google.com is OK, and accountsgoogle.com isn’t. That’s an unreasonable demand,” says Google security engineer Drew Hintz. “This helps you make that decision as to whether the place you just typed your password was a fine place to type it or not.”
Password Alert also helps to tackle another problem that internet services have often considered outside their control: careless users who reuse the same password across many different sites. Sign up for any other service with your Gmail password, and all of Google’s expensive security is reduced to the security of that other service. Hackers learned long ago that passwords and usernames spilled by one security breach often work on other sites, too. But reuse a Gmail password with Password Alert installed, and it triggers the same alert as a phishing attempt, an annoyance that could lead users to give up the bad habit of sharing passwords between sites.
Phishing remains one of the most serious and intractable problems in information security, and is often the initial breach point for hacker schemes ranging from mass credit card harvesting to sophisticated, state-sponsored targeted attacks. Google estimates that as many as 45 percent of some well-crafted phishing emails can successfully trick users, and that 2 percent of all Gmail messages it sees are phishing attempts. A Verizon report published earlier this month found that a phishing campaign launched against a target corporation or agency can find a gullible user and gain an initial point of compromise within as little as 80 seconds.
Google itself has been battling phishing attacks for years, says Hintz. He’s “refereed” Google’s own internal penetration tests, which showed again and again that password phishing was “a vulnerability you can’t patch,” he says. So three years ago, Hintz says Google began implementing a version of the Password Alert Chrome extension internally. It turned out to be effective enough that the company decided to roll out a version to users.
Hintz says that upcoming versions of Password Alert will give users the option to monitor other passwords, too, such as those for their banking or corporate accounts. In the current version, it immediately asks the user to log back into their Google account when it’s installed. Then it records and stores a cryptographically hashed version of the password locally on the user’s machine—a scrambled version of the password that the extension can check for matches but can’t in theory be used by anyone who accesses it. (Although Password Alert requests on installation the rather disturbing permission to “read and change all your data on the websites you visit,” Hintz says the extension never communicates anything back to Google’s servers.)
This is hardly the first step Google has taken to try to protect users from phishing scams. It already offers users two-factor authentication, and Chrome includes a “Safe Browsing” feature. In its constant crawls of the entire visible Web, Google seeks out sites that seem to be infected with malware or phishing attempts, and Chrome issues a warning if a user visits one. Firefox and Safari also use Google’s Safe Browsing data to flag those malicious sites.
Password Alert adds another layer to those protections, though it doesn’t yet share that safeguard with other browsers as Google does with Safe Browsing. Hintz points out that the extension is open-source and available on Github, ready to easily port to other browsers.
If Google’s approach catches on with other internet services and browsers, it could serve as an broad new form of password hygiene, keeping your most sensitive character combinations off the sketchy websites that have been a scourge of internet security. If only the password Post-its stuck to the wall of your cubicle could be so easily eradicated.
Also in Wired: