What Google’s Password Alert Extension Can (And Can’t) Protect Against

Earlier this month, Google announced the Password Alert extension for Google Chrome, which is designed to thwart phishing attacks levied against users of Google Apps.

And, almost from the moment of its release, security researchers have harshly criticized Password Alert.

Thus, we return to one of the central issues in software security: allowing the perfect to be the enemy of the good.

For those unfamiliar with the term, phishing is the most dangerous form of social engineering attacks, wherein a hacker uses a counterfeit web page to get you to willingly turn over some vital information, usually your username and password. Password Alert is designed to warn users when they attempt to enter their Google password and username on a page that isn’t actually hosted by Google.

Sometimes, however, Password Alert doesn’t work and security researchers fear that, by employing Password Alert, users are given a false sense of security.

This presumes that the average Google user even knows what a phishing attack is, let alone is capable of sniffing one out without the aid of a plugin like Password Alert. Yes, user education is a prime ingredient in a robust security strategy, but your users are presumably part of your organization because they have work to do, and better things to spend their time on than forensically analyzing every web page that asks for a login.

Password Alert may not be able to thwart the most sophisticated phishers at large today, but it can keep users from falling for all the average or crude phishing attacks, which is still a net gain. Password Alert will, for the majority of Google users in the majority of cases, lower the likelihood of having a username and password stolen. That’s a good thing.

There are no “silver bullet” security tools that cover all possible vulnerabilities all the time. The only way to ensure that your Google Apps users can’t inadvertently cause a loss of data is to have a good Google Apps backup plan. That way, even if a really savvy social engineer makes it past Password Alert, you’ll have the tools (and the backup data) to undo any damage.

Think of Password Alert as a smoke detector and a Google Apps backup as an insurance policy. Just because the detector can’t prevent every fire doesn’t mean you don’t buy it. Because it can’t prevent every fire, you buy the insurance. The same is true of software security. Don’t let the perfectionists fool you. Go get your virtual smoke detector for Google Apps today.