When detecting a fake login page or an unverified site, Password Alert will give users the option to immediately change their passwords in efforts to mitigate potentially compromised accounts.
The extension is also offered to businesses with additional features that allow incident response teams to be alerted of potential phishing attack vulnerabilities. According to Google's release announcement, installing Password Alert on company-wide domain management systems will help identify malicous activity and also reduce password reuse by employees.
“There is something to be learned from what Google has done with respect to protecting customers as they access their accounts,” Webroot Security Intelligence Director, Grayson Milbourne, commented in an email to SCMagazineUK.com. “It would be great to see this same technology extended to other browsers and also to protect other major targets of phishing.”
However, while this is a proactive step forward to thwart phishing attacks, there are also drawbacks to the system-wide automation. While users are prompted by the alert to change their passwords, they are also given the option of ignoring the alert altogether.
“While this may reduce the incidence of accidentally revealing one's Google password, it might also train users to ignore security warning pop-ups,” Kevin Epstein, VP of advanced security and governance at Proofpoint, commented in an email to SCMagazineUK.com.
“In either case,” Epstein warned, “[it] does nothing to block phishing emails or possible other site compromises. If seeking modern security and protection against cyber-attacks, enterprises and SMB alike would be well-advised to deploy a centralised targeted attack protection or threat response system rather than this per-browser Google-only pop-up”
“This is a good time to remind everyone of very simple and effective strategies to keeping online accounts secure,” said Milbourne echoing the sentiment, adding: “First, make sure your primary email password is different from all other passwords. There is a domino effect if you can break into this account. We all hate remembering different passwords, but this one is a must for proper online security.”