OneLogin releases Chrome extension combating password reuse

OneLogin said its new tool is capable of discovering phishing websites and does not store users' passwords. Instead, it uses hash analysis to identify reused and weak passwords.

OneLogin, a unified access management vendor, today introduced Shield, a browser extension intended to fight password reuse, weak password practices and phishing. The software is available in both free and enterprise plans and through Google Chrome browser.

Reusing and sharing passwords are common practices that pose serious threats of data breach for the enterprise. A 2019 report from the Ponemon Institute discovered that nearly two out of three respondents admitted to sharing passwords with their colleagues in the workplace, and more than half reuse an average of five passwords across their business and/or personal accounts. The report surveyed 1,761 IT and IT security practitioners in the United States, United Kingdom, Germany and France.

Shield touts the ability to protect organizations against risks posed by passwords and identity reuse, weak password practices and phishing with the following capabilities:

  • Combat password reuse: Alerts users when they use the same passwords across any website.
  • Fight weak passwords: Notifies users when they use common, insecure and easily compromised passwords.
  • Defend against phishing: Discover websites that are likely to use credential fraud tactics.

OneLogin released Shield as an open source tool. The company said the tool does not analyze or store passwords themselves; it analyzes password hashes to identify reuse and weak passwords.

Shield is a browser extension available through Google Chrome; it works with any existing identity provider and offers users a free or enterprise plan. The enterprise version of Shield offers more functionalities such as the ability to alert administrators or suspend user accounts if the software identifies threats and the ability to export intelligence to security information and event management tools for further reporting and analysis.

Google offers its own password protection extensions called Password Alert and Password Checkup. Password Alert notifies users if they enter their Google Account password into any site other than Google's sign-in page. However, it does not protect passwords for non-Google services. The Password Checkup extension promises to help users resecure accounts affected by data breaches. According to Google, the extension alerts users if they enter a username and password that is no longer safe because it appears in a data breach known to the company.

Dig Deeper on Desktop management