Password Alert: Google’s new free tool to prevent phishing attacks by Robert Hackett @FortuneMagazine April 29, 2015, 9:03 AM EDT E-mail Tweet Facebook Google Plus Linkedin Share icons Fess up: You use the same password for multiple web accounts, don’t you? It’s a bad practice, of course. One account becomes compromised and the rest—well, it’s a sudden game of dominos. Yet who among us has the fortitude to remember scores of wildly divergent, convoluted passwords? Who has the self-discipline, the mental faculty, the unflagging commitment to security? Who, I dare say, follows the tenets of digital hygiene to a tee? Tell me, dear reader, which of you? Fear not! Google GOOG has an answer for the rest of us incorrigible Internet users. The search giant has just released a Chrome browser extension called Password Alert that acts like a tripwire whenever you enter your Google credentials into an untrusted site—that is, anything other than accounts.google.com. (Or in the case of Google for Work—the company’s enterprise play—for sites not whitelisted by an administrator.) For many, one’s email account password—and very often, Gmail account password—is the trump card to resetting other logins. (Forgot your password? Click here and we’ll send you a temporary one via email.) That makes it particularly valuable, a master key—and a prime target for social engineers, whose goal is to steal your information. “Two percent of all emails to Gmail are phishing attempts,” says Justin Kosslyn, product manager at Google Ideas, describing the malicious traffic that flows through Google’s Gmail servers. “Gmail can fortunately filter most of them out, but millions upon millions of emails a day are trying to trick you into giving up your password.” The new password tool was developed out of the company’s own learnings from conducting internal penetration tests, attempts to improve and assess security by hacking itself and its employees. In some cases, researchers found that a well-crafted, lookalike phishing site could be effective 45% of the time. On average, phishing sites duped people about 14% of the time. “It works like a spellchecker,” Kosslyn says, explaining the mechanism. The tool triggers based on the length of the password being typed in, he says. Chrome stores a partial fingerprint of the password—a partial salted hash, to be technical, rather than the password itself—and if it detects that a Google password is being reused, the alarm sets off. “It’s able to use this math trick to determine whether there is a match,” he says. Proud of its success rate, the team decided to take the product public. “It has caught real-world phishing attacks on Googlers,” Kosslyn says, “That’s one of things that made us very keen on open sourcing it and making it available for users as well.” Another motive has to do with the team’s work with activists and political dissidents, such as Syrian expatriates in Turkey. “We hear all kinds of different stories about cyber security and the threats they face,” he says. In fact, Kosslyn’s team breaks these threats down into three areas: threats to servers, threats to connections, and threats to devices. This last piece is where Password Alert provides the most protection. For some, including those with governmental adversaries, phishing can be a matter of life and death, he says. “Hence this launch.” Indeed, as the latest Verizon report on data breach investigations reveals, phishing attacks are often a calling card for state-sponsored actors. “For two years running, more than two-thirds of incidents that comprise the Cyber-Espionage pattern have featured phishing,” the researchers write. The report also notes that nearly a quarter of recipients open phishing messages and 11% click on the attachments within. Password Alert is the latest product out of Google Ideas, a 4-year-old “think tank” division of Google concerned with global initiatives. Previously, the arm has released Project Shield, which aims to use Google’s infrastructure “to provide protection for free expression online,” combating and withstanding distributed denial of service (DDoS) attacks. (Like the one China waged against GitHub earlier this month.) Kosslyn assures Fortune that the tool does not inhibit a machine or browser’s performance. “We did a lot of optimization to make sure it doesn’t slow down your computer,” says. “As opposed to anti-virus software or downloading a new version of [Microsoft] Word in the background, this is negligible.” (Google, after all, takes load time very seriously.) Although Password Alert is compatible only with the Chrome browser and Google logins for now, Kossyln says he would like to see the tool applied across the web and used with different services. “That’s the hope,” he says.