But the issue with phishing is that by definition, phishers trick people into thinking they are logging in to their bank or similar site. Whatever methods we put in place, can you ever assure a person can’t be tricked around them? We’re talking ordinary users with ordinary browsers who will not, it’s been demonstrated, tolerate cumbersome security techniques.

Thus my proposal of seeing them type in a known password to an unknown site and saying “whoa.” The advantage here is the user doesn’t do anything, instead the system notices the end result of any trickery — a password going to a place it’s not known to be meant to go. It doesn’t matter how they trick them, you still spotted it.

What you’re left with is the trickery being so good that even after you sound the alarm and give them hints on how to double-check for trickery, they still approve sending the password. That is not solved by my technique, and other systems may help better there.