Phishing prevention with Password Alert FAQ
Below are common questions about the Password Alert extension, which is used to prevent phishing attacks. For instructions on installing Password Alert, see Preventing phishing attacks on your users or Prevent phishing with Password Alert.What is Password Alert?
Password Alert is a Chrome extension that helps users avoid phishing attacks by detecting when they enter their Google password into any web sites other than the Google Sign in page accounts.google.com.
G Suite administrators can also deploy the Password Alert Server to enable password alert auditing, send email alerts, and force users to change their Google password if they enter it into a non-trusted web site.
No. Entering your Gmail or G Suite password in any non-Google site triggers Password Alert. You will get an alert each time you first use that password for other accounts. You can choose between resetting your password or ignoring the alert for the specific account. Gmail users have the option to mute all alerts on a website. If you use the same password on multiple accounts, and one of the accounts is compromised, attackers often try using the password for your other accounts to gain access with reused credentials.
Password Alert currently only works as a Chrome extension in the Chrome browser. As a Google Apps for Work administrator, you can deploy Password Alert across your domains using Chrome policies and set up a Google App Engine instance to monitor alerts across your domains. If you have legacy browsers in use, you may want to explore Chrome’s Legacy Browser support.
Password Alert uses the active Chrome profile to determine which account is being protected, so if you want to install Password Alert for multiple Google accounts, use multiple Chrome profiles.
Each time you successfully sign in to your Google account, Password Alert has temporary access to your correct password and saves a salted reduced-bit thumbnail of your password to Chrome local storage. It then compares this thumbnail to each password you enter in any website other than accounts.google.com (or, for Google Cloud domains, websites whitelisted by the administrator).
For Gmail users, a FIDO Universal 2nd Factor (U2F) Security Key is a very useful tool to help prevent password phishing.
Chrome tries to detect phishing pages in advance, but there may be cases where it misses an imposter sign-in page. Password Alert should detect each time you enter your password in a website other than accounts.google.com (or, for Google Cloud domains, websites whitelisted by the administrator).
No, Password Alert requires that passwords have at least eight characters. You will have to change any legacy Google passwords that have less than eight characters.
No. Password Alert doesn't save keystrokes to disk, and it doesn't send any keystrokes to any remote system.
No, the Password Alert application is only required for alert auditing, sending email alerts, and forcing the user to change their Google password if they enter it into a non-trusted website.
After you've configured Password Alert to send reports to the application any notifications are only sent to the security group and/or the user via email. Refer to the Enforcement section in the Password Alert application configuration file for more details.What is the difference between the Password Alert application and the App Engine instance?
The Password Alert application is managed by Google while the App Engine instance is managed by your team.
Allowed—Doesn’t alert security or expire the user’s password. You use this state to whitelist a host to allow for password reuse.
Mute—Doesn’t alert security, but expires the user’s password. You normally mute hostnames when a password reuse is detected on a legitimate website (for example, login.yahoo.com).
Unknown—Alerts security and expires the user’s password. This is the default state for all hosts, except for accounts.google.com and the SSO URL defined in managed_policy_values.txt (SSO_URL).