Security experts have offered a mixed assessment of Google’s new Password Alert security, a Chrome extension designed to make it harder for phishing sites to steal Google account credentials by impersonating the search giant's login page.
The principle behind it is straightforward enough; if a user enters their Google password into a site that isn’t Google’s a warning message flashes on screen (see above) telling them that it has been exposed and suggesting a reset. It does this simply by comparing a hashed and locally stored version of the Google password to each one entered.
Google estimates that 2 percent of messages sent to its users are phishing attempts of one sort of another which presumably means they are filtered out, Still, a good idea’s a good, right?
An obvious problem is that the extension only works with the Chrome browser so anyone using alternatives won’t be protected. All the same, as an open source tool developers could in principle tweak it to defend company domains when using the same browser. Google is also making it available for Google for Work customers running Google Apps or Drive for Work so this isn’t just for consumers.
A slightly more involved alternative suggested by PhishMe’s CTO Aaron Higbee is to trip up the hashing comparison by quietly adding a digit to any entered password so that the fact the user has entered it is not detected. The attacker would then simply subtract the digit to reveal the password.
It’s not clear that getting such an attack to work would be as simple as it sounds because Google hasn’t described the process by which the comparison is made but it’s clear that logging in this way is never going to be totally secure.
Google points out that using a 2FA authentication token offers stronger protection because even if a thief has access to the credentials they still need the hardware key to get into the Google account – Techworld reviewed Yubico’s FIDO U2F token a few weeks back on a Chromebook (which is the whole Chrome browser idea writ large) in conjunction with LastPass. The Yubikey is probably the most affordable hardware key on the market.
Whatever defences are used, the useful effect of Password Alert will be threefold. First it doesn’t work with daft passwords using fewer than 8 characters, which forces people to upgrade beyond that basic level. It also alerts people if they re-use their Google password somewhere else, a patently stupid thing to do. Finally, it reminds users to set up account recovery.
From this point of view, Password Alert represents a sort of mental upgrade as much as a software one. Users are being invited to invest something to protect themselves and that might yet get through to even the most reluctant.
Update: researchers have since found more problems with Password Alert severe enough for Google to row back on some of its security claims. Does it offer a short-term boost? For now, a bit, but be clear about the limitations that are being found. Without a stronger release this won't buy much security.