There are many proposals out there for tools to stop Phishing. Web sites that display a custom photo you provide. “Pet names” given to web sites so you can confirm you’re where you were before.
I think we have a good chunk of one anti-phishing technique already in place with the browser password vaults. Now I don’t store my most important passwords (bank, etc.) in my password vault, but I do store most medium importance ones there (accounts at various billing entities etc.) I just use a simple common password for web boards, blogs and other places where the damage from compromise is nil to minimal.
So when I go to such a site, I expect the password vault to fill in the password. If it doesn’t, that’s a big warning flag for me. And so I can’t easily be phished for those sites. Even skilled people can be fooled by clever phishes. For example, a test phish to bankofthevvest.com (Two “v”s intead of a w, looks identical in many fonts) fooled even skilled users who check the SSL lock icon, etc.
The browser should store passwords in the vault, and even the “don’t store this” passwords should have a hash stored in the vault unless I really want to turn that off. Then, the browser should detect if I ever type a string into any box which matches the hash of one of my passwords. If my password for bankofthewest is “secretword” and I use it on bankofthewest.com, no problem. “secretword” isn’t stored in my password vault, but the hash of it is. If I ever type in “secretword” to any other site at all, I should get an alert. If it really is another site of the bank, I will examine that and confirm to send the password. Hopefully I’ll do a good job of examining — it’s still possible I’ll be fooled by bankofthevvest.com, but other tricks won’t fool me.
The key needs in any system like this is it warns you of a phish, and it rarely gives you a false warning. The latter is hard to do, but this comes decently close. However, since I suspect most people are like me and have a common password we use again and again at “who-cares” sites, we don’t want to be warned all the time. The second time we use that password, we’ll get a warning, and we need a box to say, “Don’t warn me about re-use of this password.”
Read on for subtleties…
Password re-use is of course a bad idea at sites that matter. Most of them store your password in their own databases in the clear. If you use the same password at your bank as at paypal, somebody who breaks into one (or an unscrupulous insider) can then freely break into the other, with no way to track back how they learned it. But you can only remember so many passwords, and you need access to passwords on the road sometimes (risky as that is.) Systems which do unique passwords for every site are great but you’re toast if you are on the road or if you lose the master password. Some of your passwords you just need to keep in memory.
Now there is one big hole in what I’ve described. Phishers can write live, one-character-at-a-time applications to simulate a password box, and bypass the checks I have above. After you have typed “secretword” we could stop the sending of the “d” but they might have learned all the rest. We could hash some prefixes of your password, if you make them strange enough, so they can be spotted, but this is harder to make perfect.
I also will add that there are many levels of solutions to phishing. The above proposal is one aimed at helping users, one browser at a time. Far more involved proposals, that change how sites do login, can do more, but they require major efforts to get adoption. Any new system must be able to be adopted one site at a time, one user at a time. In the long term, the answer is to move authentication into a personal token (ie. cell phone) we carry around with us, with PINs or personal biometrics, and no transmission of passwords at all (ie. hash based challenge/response or digital signature.)