Install Google Password Alert?
Google suffered an embarrassing moment just a day after it released a free browser extension intended to protect users against phishing attacks. Google fixed the mistake quickly, but the fix is also vulnerable to being bypassed. Should you install the Google Password Alert tool anyway? I say yes...
What is Google's Password Alert Tool?
The extension is called password Alert. Once you have logged in to your Google account, Password Alert will warn you if you enter your Google password on any non-Google Web page, such as a fake “Google Mail sign in” page erected by a phisher. Password Alert will urge you to change your Google account password “immediately.”
“In short, anyone looking to launch a phishing attack against a Google account simply needs to add those seven lines to render the Password Alert protection useless,” Moore told Forbes in an interview on May 1.
Perhaps Password Alert should be returned to the development department and entirely re-designed. It should not be necessary for me to go change my Google password “immediately” or ever. If Password Alert knows that I am not on a legitimate Google page and that I just entered my Google password, it should not allow that password to be transmitted to the phishing page, unless the user explicitly overrides the warning. What is so difficult about this?
A Work in Progress...
Are you using Two-Factor Authentication? It sounds geeky, but it's actually easy to do and very important. See SECURITY TIP: Two Factor Authentication to learn how.
Password Alert (when it works) also prevents re-use of Google passwords on otherwise legitimate sites, a good security practice as far as it goes. However, it won’t stop me from using my bank site’s password on a bogus site, or Netflix, or Facebook, etc. “Use a unique password on each site” is good advice that could be enforced by Password Alert or something similar.
So far, just over 70,000 users have downloaded the Password Alert extension from the Google Chrome Web Store. I don’t believe Password Alert will be a runaway hit. But those who are using it should be aware of its limitations and vulnerabilities.
Just to be clear, using the flawed Password Alert does NOT make you any more vulnerable to malware attacks. If anything, it makes you marginally safer. The problem identified by the researchers is that the warnings normally presented by Password Alert can be "silenced" if the webmaster of a malicious site adds additional code to block them.
So even the current version (assuming it's not fixed by the time you read this) is beneficial in the sense that it will warn you against re-using your Google password on non-Google sites. It will even work on malicious sites that have not added the blocking code. Chrome extensions update automatically, and I expect that Google will give this full attention over the next few days. So I still think it's a good idea to install this one, especially if you tend to be sloppy with password reuse.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 4 May 2015
|For Fun: Buy Bob a Snickers.|
Mobile Malware: No Big Deal?
The Top Twenty
Are You Sharing Your Wifi?
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Install Google Password Alert? (Posted: 4 May 2015)
Copyright © 2005 - Bob Rankin - All Rights Reserved