Early this year, I tried to brainstorm ways to defeat phishing, and recall asking myself why no-one was doing something like Password Alert because it seemed so simple and so obvious. In June, I found out that Google had already been doing it for years internally and had expended the effort to release their extension both for regular users and enterprises who wanted to deploy it internally.
I was both a bit bummed that someone had beaten me to the punch, but also vindicated that the idea had some merit. After spending a bunch of time trying to figure out how I could do something in this space, I have written my own version with the following features:
Cross-Platform Browser Support
After talking to multiple people who expressed some disappointment that Password Alert was Chrome-only, I have taken the core idea behind password alert and implemented it in a way that runs in Safari, Chrome and Firefox (via WebExtensions). This isn’t a port since I didn’t really want to work with the Google-y codebase that had been open sourced (sorry Drew).
I am sitting on the fence about building a version for IE since Edge is meant to have a largely compatible extensions model soon, but it might be possible to do something for IE as well by using an existing cross-platform toolkit and not having to resort to BHOs.
Beyond just tracking Google credentials the way Password Alert does, Password Sage also tracks Facebook credentials and doesn’t complain if they are the same in the consumer version.
Unlike Google, I have an interest in helping everyone protect all of their credentials, and I hope that in time I can extend it to handle arbitrary sites, however an aborted attempt at writing a password manager taught me that solving this problem in general can be tricky, so for the moment Password Sage has an internal rules engine which I’ve used to add Facebook support as a testing ground for the functionality in general, which can hopefully be a be for supporting much of the web before tacking the general case :)
To alleviate the issues users face with shared passwords, I have implemented a server-side component that can provide additional context for a given URL to see if it is likely to be a legitimate login URL.
I realise that everyone is getting more privacy conscious these days, and while browsers have taken a lot of flack for checking every URL against a phishing database, I am hoping that checking only URLs where users enter their password is a tradeoff users find acceptable.
For those concerned about how such a whitelist will cause Password Sage to miss attacks, I would firstly mention that all the users who are currently not using Password Alert because they reuse their passwords are getting no protection at all, but I’ve also spent some time evaluating how the system I’ve built would work against PhishTank data, and I think it’s quite doable, however those details will have to wait for a separate blog.
Available in Beta Now
For Firefox: You can find an Unsigned extension Hosted Here; however WebExtensions are not fully supported in Firefox yet anyway, so this is definitely more of an alpha release at this point. I will get this signed and into addons.mozilla.org when they begin signing WebExtensions.
Compatible with Password Alert server
If you’re using Password Alert in your enterprise and would like to deploy a Safari or Firefox version, this implementation is compatible with existing Password Alert servers.
I haven’t fully figured out what deployment should look for these platforms, but if you’re an enterprise that has deployed Password Alert already, or would like to, please give me a shout either in the private comments here, on twitter or at email@example.com.
I wanted to get this out as an MVP so that it wasn’t just lying around in Git and to see if people would find my version at all useful, so please let me know what you think. I’ve setup an Idea Gathering/Voting page pre-filled with some of my own thoughts here: http://ideas.passwordsage.com/
In particular, I think this is technology that could benefit users on all platforms, not just Google’s, so if there is interest I can extend this first to other specific websites that people are interested in, and then to tracking credentials for all websites.