Phishing prevention with Password Alert FAQ
Below are common questions about the Password Alert extension, which is used to prevent phishing attacks. For instructions on installing Password Alert, see Preventing phishing attacks on your users or Prevent phishing with Password Alert.What is Password Alert?
Password Alert is a Chrome extension that helps G Suite and Cloud Identity users avoid phishing attacks by detecting when they enter their Google password into any websites other than the Google sign-in page.
Administrators can also deploy the Password Alert Server to enable password alert auditing, send email alerts, and force users to change their Google password if they enter it into a non-trusted website.
You can get many of the features in the Password Alert Chrome extension through the Chrome Password Alert Policy. It’s implemented natively in Chrome and allows uniform policy deployment and reporting on all platforms that support Chrome.
Your organization doesn’t need G Suite or Cloud Identity to use the Chrome Password Alert Policy. Currently, Chrome Password Alert Policy doesn’t have a Password Alert Server for alert auditing and controls.
You and your users can get 2 sets of alerts if you set up both the Chrome extension and Chrome Password Alert Policy. Turn off the extension to avoid duplicate alerts.
No. Entering the password for your managed Google account (for example, G Suite or Cloud Identity) in any non-Google site triggers Password Alert. You will get an alert each time you first use that password for other accounts. You can choose between resetting your password or ignoring the alert for the specific account.
Gmail users have the option to mute all alerts on a website. If you use the same password on multiple accounts, and one of the accounts is compromised, attackers often try using the password for your other accounts to gain access with reused credentials.
Password Alert is for G Suite and Cloud Identity users and currently only works as a Chrome extension in the Chrome browser. As an administrator, you can deploy Password Alert across your domains using Chrome policies and set up a Google App Engine instance to monitor alerts across your domains. If you have legacy browsers in use, you may want to explore Chrome’s Legacy Browser support.
Password Alert uses the active Chrome profile to determine which account is being protected, so if you want to install Password Alert for multiple Google accounts, use multiple Chrome profiles.
Each time you successfully sign in to your Google account, Password Alert has temporary access to your correct password and saves a salted reduced-bit thumbnail of your password to Chrome local storage. It then compares this thumbnail to each password you enter in any website other than accounts.google.com (or, for Google Cloud domains, websites whitelisted by the administrator).
For Gmail users, a FIDO Universal 2nd Factor (U2F) Security Key is a very useful tool to help prevent password phishing.
Chrome tries to detect phishing pages in advance, but there may be cases where it misses an imposter sign-in page. Password Alert should detect each time you enter your password in a website other than accounts.google.com (or, for Google Cloud domains, websites whitelisted by the administrator).
No, Password Alert requires that passwords have at least 8 characters. You will have to change any legacy Google passwords that have less than 8 characters.
No. Password Alert doesn't save keystrokes to disk, and it doesn't send any keystrokes to any remote system.
No, the Password Alert application is only required for alert auditing, sending email alerts, and forcing the user to change their Google password if they enter it into a non-trusted website.
After you've configured Password Alert to send reports to the application any notifications are only sent to the security group and/or the user via email. Refer to the Enforcement section in the Password Alert application configuration file for more details.What is the difference between the Password Alert application and the App Engine instance?
The Password Alert application is managed by Google while the App Engine instance is managed by your team.
Allowed—Doesn’t alert security or expire the user’s password. You use this state to whitelist a host to allow for password reuse.
Mute—Doesn’t alert security, but expires the user’s password. You normally mute hostnames when a password reuse is detected on a legitimate website (for example, login.yahoo.com).
Unknown—Alerts security and expires the user’s password. This is the default state for all hosts, except for accounts.google.com and the SSO URL defined in managed_policy_values.txt (SSO_URL).