Phishing prevention with Password Alert FAQ

Below are common questions about the Password Alert extension, which is used to prevent phishing attacks. For instructions on installing Password Alert, see Preventing phishing attacks on your users or Prevent phishing with Password Alert.

What is Password Alert?

Password Alert is a Chrome extension that helps users avoid phishing attacks by detecting when they enter their Google password into any web sites other than the Google Sign in page
Administrators can also deploy the Password Alert Server to enable password alert auditing, send email alerts, and force users to change their Google password if they enter it into a non-trusted web site.

Can I reuse the password for my managed Google account for other accounts?

No. Entering the password for your managed Google account (for example, G Suite or Cloud Identity) in any non-Google site triggers Password Alert. You will get an alert each time you first use that password for other accounts. You can choose between resetting your password or ignoring the alert for the specific account.

Gmail users have the option to mute all alerts on a website. If you use the same password on multiple accounts, and one of the accounts is compromised, attackers often try using the password for your other accounts to gain access with reused credentials.

What if I’m not using Chrome?

Password Alert currently only works as a Chrome extension in the Chrome browser. As a Google Apps for Work administrator, you can deploy Password Alert across your domains using Chrome policies and set up a Google App Engine instance to monitor alerts across your domains. If you have legacy browsers in use, you may want to explore Chrome’s Legacy Browser support.

Does Password Alert work with Multi-Login?

Password Alert uses the active Chrome profile to determine which account is being protected, so if you want to install Password Alert for multiple Google accounts, use multiple Chrome profiles.

When does Password Alert take effect?

After you install the extension, Password Alert starts working the next time you sign in to Javascript® must be enabled and users with managed Google accounts must be signed in to Chrome.

How does Password Alert know your password?

Each time you successfully sign in to your Google account, Password Alert has temporary access to your correct password and saves a salted reduced-bit thumbnail of your password to Chrome local storage. It then compares this thumbnail to each password you enter in any website other than (or, for Google Cloud domains, websites whitelisted by the administrator).

What other tools can I use to protect my password?

For Gmail users, a FIDO Universal 2nd Factor (U2F) Security Key is a very useful tool to help prevent password phishing.

How is Password Alert different from Chrome’s built-in Safe Browsing features?

Chrome tries to detect phishing pages in advance, but there may be cases where it misses an imposter sign-in page. Password Alert should detect each time you enter your password in a website other than (or, for Google Cloud domains, websites whitelisted by the administrator).

Does Password Alert support Google passwords with less than eight characters?

No, Password Alert requires that passwords have at least eight characters. You will have to change any legacy Google passwords that have less than eight characters.

Is Password Alert a keystroke logger?

No. Password Alert doesn't save keystrokes to disk, and it doesn't send any keystrokes to any remote system.

Is the Password Alert application required for Google Cloud customers?

No, the Password Alert application is only required for alert auditing, sending email alerts, and forcing the user to change their Google password if they enter it into a non-trusted website.

I set up Password Alert to send reports to my Password Alert application. Why are my users no longer receiving banner notifications?

After you've configured Password Alert to send reports to the application any notifications are only sent to the security group and/or the user via email. Refer to the Enforcement section in the Password Alert application configuration file for more details.

What is the difference between the Password Alert application and the App Engine instance?

The Password Alert application is managed by Google while the App Engine instance is managed by your team.

What is the difference between “Mute” and “Allowed” for the Host Status in the Admin UI?

Allowed—Doesn’t alert security or expire the user’s password. You use this state to whitelist a host to allow for password reuse.

Mute—Doesn’t alert security, but expires the user’s password. You normally mute hostnames when a password reuse is detected on a legitimate website (for example,

Unknown—Alerts security and expires the user’s password. This is the default state for all hosts, except for and the SSO URL defined in managed_policy_values.txt (SSO_URL).

Was this article helpful?
How can we improve it?