Security experts have established all sorts of best practices for keeping online passwords secure: pick a string of characters that’s not easy to guess, don’t use passwords based on dictionary words, don’t write your passwords down, don’t reuse passwords across different sites – the list goes on. But most people simply don’t have the mental bandwidth to remember dozens of different passwords for the different sites they use, and as password management tools such as LastPass and 1Password haven’t caught on widely, many of us reuse the same password on many different web sites.
But by recycling passwords, we’re making ourselves easier prey for “phishing” attacks. A phishing attack occurs when a bogus email or Web site tricks us into giving up our username and password by posing as a service we use everyday. If you’ve ever gotten an email purporting to be from eBay or PayPal, asking that you log in to address a vaguely defined problem with your account, it was probably a phishing attack.
On Wednesday Google released Password Alert, an extension for the Chrome Web browser that will help defend against phishing attacks by saving careless Internet users from themselves. Password Alert will let you know if you type your Google account password into a non-Google site, and will prompt you to change your password immediately if that happens.
If you’re a Gmail user, your Google password is particularly important, because a hacker can gain access to most of your other accounts if he or she gains access to your email. In most cases, it’s as simple as clicking the “Forgot your password?” link on a login page. The site will send a reset password to your email account, which the hacker can then intercept. Password Alert will give you a heads-up that you’ve typed your password into an unsafe site, giving you time to change it before the bad guys do.
Password Alert also automatically checks the code of sites you’re visiting so it can determine whether a particular page is masquerading as a Google login page. If it notices one, it’ll warn you so you don’t get tricked into sharing your credentials.
Password Alert stores your Google password through what’s called a hash: a combination of your password and an additional string of characters that allows the sensitive data to be stored securely. That allows it to check the passwords you enter on different web sites against the hashed password in its database, and to alert you if it notices that you’ve entered your Google password on a non-Google site.