Install Google Password Alert?

Category: Security

Google suffered an embarrassing moment just a day after it released a free browser extension intended to protect users against phishing attacks. Google fixed the mistake quickly, but the fix is also vulnerable to being bypassed. Should you install the Google Password Alert tool anyway? I say yes...

What is Google's Password Alert Tool?

The extension is called password Alert. Once you have logged in to your Google account, Password Alert will warn you if you enter your Google password on any non-Google Web page, such as a fake “Google Mail sign in” page erected by a phisher. Password Alert will urge you to change your Google account password “immediately.”

Password Alert was released on April 29. In less than 24 hours, security consultant Paul Moore posted a YouTube video demonstrating how to defeat Password Alert by adding “just seven lines of (JavaScript) code” to a phisher’s Web page. Basically, Moore’s simple program scans the user’s screen for the Password Alert warning every 5 milliseconds and deletes it before the warning can be read, or even noticed by most people.

“In short, anyone looking to launch a phishing attack against a Google account simply needs to add those seven lines to render the Password Alert protection useless,” Moore told Forbes in an interview on May 1.
Google Password Alert

Google issued a patched update of Password Alert within a few hours of Moore’s revelation. But by May 1, Moore had demonstrated that the “fixed” version could also be defeated by a few lines of JavaScript. Other security researchers joined the fun, and so far nine ways to bypass Password Alert have been devised. As of this writing, Google has responded to 3 of those, but the latest version (v1.6) does not address them all.

Perhaps Password Alert should be returned to the development department and entirely re-designed. It should not be necessary for me to go change my Google password “immediately” or ever. If Password Alert knows that I am not on a legitimate Google page and that I just entered my Google password, it should not allow that password to be transmitted to the phishing page, unless the user explicitly overrides the warning. What is so difficult about this?

A Work in Progress...

Is your password easily guessable? See my related article Is Your Password Strong Enough? to find out if a 10-year-old can guess your password.

Are you using Two-Factor Authentication? It sounds geeky, but it's actually easy to do and very important. See SECURITY TIP: Two Factor Authentication to learn how.

Password Alert (when it works) also prevents re-use of Google passwords on otherwise legitimate sites, a good security practice as far as it goes. However, it won’t stop me from using my bank site’s password on a bogus site, or Netflix, or Facebook, etc. “Use a unique password on each site” is good advice that could be enforced by Password Alert or something similar.

So far, just over 70,000 users have downloaded the Password Alert extension from the Google Chrome Web Store. I don’t believe Password Alert will be a runaway hit. But those who are using it should be aware of its limitations and vulnerabilities.

Just to be clear, using the flawed Password Alert does NOT make you any more vulnerable to malware attacks. If anything, it makes you marginally safer. The problem identified by the researchers is that the warnings normally presented by Password Alert can be "silenced" if the webmaster of a malicious site adds additional code to block them.

So even the current version (assuming it's not fixed by the time you read this) is beneficial in the sense that it will warn you against re-using your Google password on non-Google sites. It will even work on malicious sites that have not added the blocking code. Chrome extensions update automatically, and I expect that Google will give this full attention over the next few days. So I still think it's a good idea to install this one, especially if you tend to be sloppy with password reuse.

Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 4 May 2015

For Fun: Buy Bob a Snickers.

Prev Article:
Mobile Malware: No Big Deal?

The Top Twenty
Next Article:
Are You Sharing Your Wifi?

Most recent comments on "Install Google Password Alert?"

Posted by:

04 May 2015

Just use Lastpass and you won't need to worry about phishing attacks, as Lastpass will not fill in your password on a phishing site. Roboform, 1password, and others probably do the same (although I do not have personal experience with those password managers and cannot say for certain).

Posted by:

04 May 2015

I read where password managers that use the clipboard also have issues, as it's easy to monitor the clipboard for password info, capture it and send it off to who knows where.

Posted by:

04 May 2015

Not interested, in this Extension for Chrome or Google.

I have Lastpass, plus Avast!, which let's me know, that I am at a BAD website. Avast! will block any website, that isn't deemed GOOD.

So far, I am pleased with all of my protective programs, Avast!, Malwarebytes and Lastpass. I am good, to go. :)

Posted by:

04 May 2015

If Jim or Bob can answer, is this LastPass feature available in the free and/or Premium version? Thanks

Posted by:

Pablo Cassels
04 May 2015

Basically, password alert should simply alert you that you are on a phising, or other suspect, site.
On another note, what do you think of the Google Chrome extension Sidekick? Worthy add on, or just an invasion of privacy?

Posted by:

04 May 2015

Is this problem strictly with Chrome?

EDITOR'S NOTE: This is not a problem with Chrome. This is a benefit of using Chrome, which is not available to those who use other browsers.

Posted by:

05 May 2015

Does my use of Google's Two-step verification provide any security against this?

EDITOR'S NOTE: If by "this" you mean the Password Alert tool, then let me clarify... This article was not about a security vulnerability. It was about a tool to help you be more careful with your passwords. If by "this" you mean the possibility that you might accidentally expose your Google password by entering it on a phishing site, then yes, two-step verification will protect you because the phishing site owners would need more than just your password to login.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- Install Google Password Alert? (Posted: 4 May 2015)
Copyright © 2005 - Bob Rankin - All Rights Reserved