No matter how much Google does to harden its servers,
hire the world’s best security engineers, and root out hack able bugs in its
products, it can’t stop dummies like you and me from handing our Gmail
passwords over to the first cyber criminal who slaps a Google logo on a fake
login page. But now, for users of its Chrome browser at least, it’s trying a
new method to protect our passwords from ourselves.
On Wednesday, Google released a new
extension for Chrome it calls Password Alert, designed to deal with the
stubborn problem of phishing sites that impersonate login pages to steal
passwords. Any time you type your Gmail password into a login page that’s not
an actual Google login, the new extension shows you an alert and gives you a
chance to immediately reset your Gmail password before it can be used to
compromise your account. For corporate users, the extension can even be
configured to automatically alert a company’s incident response team.
“In the security industry we expect users to know
when it’s ok to type their password. That ‘accounts.google.com’ is ok, and
‘accountsgoogle.com’ isn't. That’s an unreasonable demand,” says Google
security engineer Drew Hintz. “This helps you make that decision as to whether
the place you just typed your password was a fine place to type it or not.”
THE WARNING PASSWORD ALERT
SHOWS WHEN THE USER TYPES HIS OR HER PASSWORD ON A LOGIN PAGE OTHER THAN
GOOGLE’S.
Password Alert also helps to tackle another problem
that internet services have often considered outside their control: Careless
users who reuse the same password across many different sites. Sign up for any
other service with your Gmail password, and all of Google’s expensive security
is reduced to the security of that other service. Hackers learned long ago that
passwords and usernames spilled by one security breach often work on other
sites, too. But reuse a Gmail password with Password Alert installed, and it triggers
the same alert as a phishing attempt, an annoyance that could lead users to
give up the bad habit of sharing passwords between sites.
Phishing remains one of the most
serious and intractable problems in information security, and is often the
initial breach point for hacker schemes ranging from mass credit card
harvesting to sophisticated, state-sponsored targeted attacks. Google estimates
that as many as 45 percent of some well-crafted phishing emails can
successfully trick users, and that 2 percent of all Gmail messages it sees are
phishing attempts.
Google itself has been battling phishing attacks
for years, says Hintz. He’s “refereed” Google’s own internal penetration tests,
which showed again and again that password phishing was “a vulnerability you
can’t patch,” he says. So three years ago, Hintz says Google began implementing
a version of the Password Alert Chrome extension internally. It turned out to
be effective enough that the company decided to roll out a version to users.
Hintz says that upcoming versions of Password Alert
will give users the option to monitor other passwords, too, such as those for
their banking or corporate accounts. In the current version, it immediately
asks the user to log back into their Google account when it’s installed. Then
it records and stores a cryptographically hashed version of the password
locally on the user’s machine—a scrambled version of the password that the
extension can check for matches but can’t in theory be used by anyone who
accesses it. (Although Password Alert requests on installation the rather
disturbing permission to “read and change all your data on the websites you
visit,” Hintz says the extension never communicates anything back to Google’s
servers.)
This is hardly the first step Google has taken to
try to protect users from phishing scams. It already offers users two-factor
authentication and Chrome include a “Safe Browsing” feature. In its constant
crawls of the entire visible Web, Google seeks out sites that seem to be
infected with malware or phishing attempts, and Chrome issues a warning if a
user visits one. Firefox and Safari also use Google’s Safe Browsing data to
flag those malicious sites.
Password Alert adds another layer to those
protections, though it doesn't yet share that safeguard with other browsers as
Google does with Safe Browsing. Hintz points out that the extension is
open-source and available on Github, ready to easily port to other browsers.
If Google’s approach catches on with
other internet services and browsers, it could serve as an broad new form of
password hygiene, keeping your most sensitive character combinations off the
sketchy websites that have been a scourge of internet security. If only the
password post-its struck to the wall of your cubicle could be so easily
eradicated.
Nice article. It's very helpful to me. Thank you. Please check my rgba color generator.
ReplyDelete