Phishing prevention with Password Alert FAQ

Below are common questions about the Password Alert extension, which is used to prevent phishing attacks. For instructions on installing Password Alert, see Preventing phishing attacks on your users or Prevent phishing with Password Alert.

What is Password Alert?

Password Alert is a Chrome extension that helps G Suite and Cloud Identity users avoid phishing attacks by detecting when they enter their Google password into any websites other than the Google sign-in page.

Administrators can also deploy the Password Alert Server to enable password alert auditing, send email alerts, and force users to change their Google password if they enter it into a non-trusted website.

What is Chrome Password Alert Policy and how is it different?

You can get many of the features in the Password Alert Chrome extension through the Chrome Password Alert Policy. It’s implemented natively in Chrome and allows uniform policy deployment and reporting on all platforms that support Chrome.

Your organization doesn’t need G Suite or Cloud Identity to use the Chrome Password Alert Policy. Currently, Chrome Password Alert Policy doesn’t have a Password Alert Server for alert auditing and controls.

You and your users can get 2 sets of alerts if you set up both the Chrome extension and Chrome Password Alert Policy. Turn off the extension to avoid duplicate alerts.

Can I reuse the password for my managed Google account for other accounts?

No. Entering the password for your managed Google account (for example, G Suite or Cloud Identity) in any non-Google site triggers Password Alert. You will get an alert each time you first use that password for other accounts. You can choose between resetting your password or ignoring the alert for the specific account.

Gmail users have the option to mute all alerts on a website. If you use the same password on multiple accounts, and one of the accounts is compromised, attackers often try using the password for your other accounts to gain access with reused credentials.

What if I’m not using Chrome?

Password Alert is for G Suite and Cloud Identity users and currently only works as a Chrome extension in the Chrome browser. As an administrator, you can deploy Password Alert across your domains using Chrome policies and set up a Google App Engine instance to monitor alerts across your domains. If you have legacy browsers in use, you may want to explore Chrome’s Legacy Browser support.

Does Password Alert work with Multi-Login?

Password Alert uses the active Chrome profile to determine which account is being protected, so if you want to install Password Alert for multiple Google accounts, use multiple Chrome profiles.

When does Password Alert take effect?

After you install the extension, Password Alert starts working the next time you sign in to accounts.google.com. Javascript® must be enabled and users with managed Google accounts must be signed in to Chrome.

How does Password Alert know your password?

Each time you successfully sign in to your Google account, Password Alert has temporary access to your correct password and saves a salted reduced-bit thumbnail of your password to Chrome local storage. It then compares this thumbnail to each password you enter in any website other than accounts.google.com (or, for Google Cloud domains, websites whitelisted by the administrator).

What other tools can I use to protect my password?

For Gmail users, a FIDO Universal 2nd Factor (U2F) Security Key is a very useful tool to help prevent password phishing.

How is Password Alert different from Chrome’s built-in Safe Browsing features?

Chrome tries to detect phishing pages in advance, but there may be cases where it misses an imposter sign-in page. Password Alert should detect each time you enter your password in a website other than accounts.google.com (or, for Google Cloud domains, websites whitelisted by the administrator).

Does Password Alert support Google passwords with less than 8 characters?

No, Password Alert requires that passwords have at least 8 characters. You will have to change any legacy Google passwords that have less than 8 characters.

Is Password Alert a keystroke logger?

No. Password Alert doesn't save keystrokes to disk, and it doesn't send any keystrokes to any remote system.

Is the Password Alert application required for Google Cloud customers?

No, the Password Alert application is only required for alert auditing, sending email alerts, and forcing the user to change their Google password if they enter it into a non-trusted website.

I set up Password Alert to send reports to my Password Alert application. Why are my users no longer receiving banner notifications?

After you've configured Password Alert to send reports to the application any notifications are only sent to the security group and/or the user via email. Refer to the Enforcement section in the Password Alert application configuration file for more details.

What is the difference between the Password Alert application and the App Engine instance?

The Password Alert application is managed by Google while the App Engine instance is managed by your team.

What is the difference between Mute and Allowed for the Host Status in the Admin console?

Allowed—Doesn’t alert security or expire the user’s password. You use this state to whitelist a host to allow for password reuse.

Mute—Doesn’t alert security, but expires the user’s password. You normally mute hostnames when a password reuse is detected on a legitimate website (for example, login.yahoo.com).

Unknown—Alerts security and expires the user’s password. This is the default state for all hosts, except for accounts.google.com and the SSO URL defined in managed_policy_values.txt (SSO_URL).

Was this article helpful?
How can we improve it?