The current Password Alert server is extremely complicated to setup and heavily tied to Google Apps because it invokes password resets from the server.
Google is currently working on a hosted version of the Password Alert server, which I assume requires a rework of the permission model, almost all of the difficulty could be removed by simply having the client force reset it's own password.
At the time of a phishing attack, we have a candidate username & password, so we should be able to login as the user for whom we have credentials, and then change their password to a randomly generated one, and then present a UI to the user with their new password.
The main advantage of this is that it would work for any site, Google or otherwise.