Google engineers have released an extension for their Chrome browser that warns users when they accidentally enter their Google password into a phishing page aimed at hijacking their account.
The freely available, open-source extension is known as Password Alert. It stores a user’s Google password in a one-way encrypted format known as a cryptographic hash. If the user types the same Google password into a non-Google website, the extension generates a warning that the user has just been phished and should change the password immediately.
Google security engineer Drew Hintz told Ars that Password Alert will issue the same warning when people use their Google password to log in to other legitimate sites. Such password reuse is a major security taboo, since a breach of one site can lead to takeovers of any other site accounts protected by the same password. Still, for users who insist on ignoring this sage and oft-repeated advice, alerts come with an option that says “always ignore this website.” If a user presses the button, the alert will never appear again for that particular non-Google website.