Early this year, I tried to brainstorm ways to defeat phishing, and recall asking myself why no-one was doing something like Password Alert because it seemed so simple and so obvious. In June, I found out that Google had already been doing it for years internally and had expended the effort to release their extension both for regular users and enterprises who wanted to deploy it internally.

I was both a bit bummed that someone had beaten me to the punch, but also vindicated that the idea had some merit. After spending a bunch of time trying to figure out how I could do something in this space, I have written my own version with the following features:

Cross-Platform Browser Support

I am sitting on the fence about building a version for IE since Edge is meant to have a largely compatible extensions model soon, but it might be possible to do something for IE as well by using an existing cross-platform toolkit and not having to resort to BHOs.

Facebook Support

Unlike Google, I have an interest in helping everyone protect all of their credentials, and I hope that in time I can extend it to handle arbitrary sites, however an aborted attempt at writing a password manager taught me that solving this problem in general can be tricky, so for the moment Password Sage has an internal rules engine which I’ve used to add Facebook support as a testing ground for the functionality in general, which can hopefully be a be for supporting much of the web before tacking the general case :)

Dynamic Whitelist

I realise that everyone is getting more privacy conscious these days, and while browsers have taken a lot of flack for checking every URL against a phishing database, I am hoping that checking only URLs where users enter their password is a tradeoff users find acceptable.

For those concerned about how such a whitelist will cause Password Sage to miss attacks, I would firstly mention that all the users who are currently not using Password Alert because they reuse their passwords are getting no protection at all, but I’ve also spent some time evaluating how the system I’ve built would work against PhishTank data, and I think it’s quite doable, however those details will have to wait for a separate blog.

Available in Beta Now

For Firefox: You can find an Unsigned extension Hosted Here; however WebExtensions are not fully supported in Firefox yet anyway, so this is definitely more of an alpha release at this point. I will get this signed and into addons.mozilla.org when they begin signing WebExtensions.

Compatible with Password Alert server

I haven’t fully figured out what deployment should look for these platforms, but if you’re an enterprise that has deployed Password Alert already, or would like to, please give me a shout either in the private comments here, on twitter or at kuza55@gmail.com.


In particular, I think this is technology that could benefit users on all platforms, not just Google’s, so if there is interest I can extend this first to other specific websites that people are interested in, and then to tracking credentials for all websites.