I just stumbled across a nice post on How Attackers Steal Passwords by Joe Golton over at FilterJoe. It's an interesting look at the common attacks on user passwords. There's not a lot new or surprising in the post but it's a good summary of the various attacks and what users can do to avoid or mitigate them.
The attacks fall roughly into 3 groups
- Social Engineering
- Attacks on the Web site servers
- Malware that the user downloads that then sets up a keystroke logger or other attack.
There's not much we can do to protect ourselves against the second type of attack except to never reuse passwords and to avoid dealing with companies and sites that have demonstrably poor security practices. Avoiding social engineering attacks is mostly a matter of common sense and staying alert to the danger. Golton recommends just deciding in advance that you will never give anyone your passwords under any circumstances. If you are forced to do so in order to perform some needed chore—to import data, say—then immediately change it afterwards.
Golton's final note is that six of the nine attacks can be blocked with the correct use of a good password manager. He recommends RoboForm (Windows), 1Password (Mac OS X), KeePass (free), or LastPass for those looking for a cloud-based solution. You can read his reasons for these recommendations here.