Google launched a new extension for its Chrome browser that is designed to discourage people from using the same password to log in to multiple online accounts.
The open-source extension called Password Alert works by alerting users if they type their Google password into a non-Google site. The idea is to foster better security by deterring users from reusing their Google passwords, Drew Hintz, security engineer, and Justin Kosslyn, product manager, at Google Ideas said Wednesday.
Once installed, the extension helps Chrome remember a “scrambled” version of the user’s Google Account password. It then watches to see if the user enters the same password to access a non-Google site. If that happens, Password Alert presents a notice asking the user to reset his or her Google account password to avoid the risk of being phished.
The alert gives users the option of either resetting their Google password or continuing to use it.
Password Alert is available to consumers as well as to business customers of Google for Work, including Google Apps and Drive for Work, Hintz and Kosslyn said in their announcement.
“Your administrator can install Password Alert for everyone in the domains they manage, and receive alerts when Password Alert detects a possible problem,” they said. The extension gives administrators the ability to spot attackers trying to break into employee accounts using their Google log-in credentials. It can also help reduce password reuse among employees, they added.
Though security analysts have long considered password reuse a bad idea, the practice is fairly common among Internet users. Because many people dislike the idea of having to remember unique passwords to each of their online accounts, they end up using the same one for everything.
A survey by SailPoint Technologies earlier this year showed that 56 percent of employees reuse passwords to a certain extent daily, even when accessing corporate applications. Some 14 percent admitted to using the same password across all apps.
Such password reuse can expose organizations to serious security issues, especially when passwords that control access to personal accounts, like Google and Facebook, are used to log in to corporate applications as well. In such situations, a hacker with access to a single password can access all accounts associated with that password.
Tod Beardsley, manager of security engineering at Rapid7, said Google’s latest Chrome extension is a great idea, especially from a consumer standpoint.
“The idea that your browser can keep an eye on what you’re logging in to and say, ‘Hold up! You just did something kinda crazy!’ is great,” Beardsley said. It will solve a huge pile of common security problems stemming from password reuse, he said.
The downside is that with this approach, password security depends almost entirely on the security of the browser and the plug-in, he said in an emailed statement. “Any exploitable flaw in either can expose your Google Accounts password to attackers,” he said.
So, the extension is not really recommended for people who already are careful about password reuse, he said. But for others, the plug-in is really useful.
“After all, for many people, a compromise of their Google account is effectively a compromise of their entire online identity,” Beardsley said. “If Gmail is your primary email source, and I get control of that, I can ‘forget my password’ to pretty much any site you’re registered on and be you, there.”
Beardsley said that Google has made the code available on GitHub as an open-source project. So he, and other security researchers are going through it to see if there are any glaring implementation flaws. “So far, it appears on the up-and-up, but there are always risks.”