I just stumbled across a nice post on How Attackers Steal Passwords by Joe Golton over at FilterJoe. It’s an interesting look at the common attacks on user passwords. There’s not a lot new or surprising in the post but it’s a good summary of the various attacks and what users can do to avoid or mitigate them.
The attacks fall roughly into 3 groups
- Social Engineering
- Attacks on the Web site servers
- Malware that the user downloads that then sets up a keystroke logger or other attack.
There’s not much we can do to protect ourselves against the second type of attack except to never reuse passwords and to avoid dealing with companies and sites that have demonstrably poor security practices. Avoiding social engineering attacks is mostly a matter of common sense and staying alert to the danger. Golton recommends just deciding in advance that you will never give anyone your passwords under any circumstances. If you are forced to do so in order to perform some needed chore—to import data, say—then immediately change it afterwards.
The third category is the hardest to deal with. Some password managers can help here with their automatic log on functions, which makes it difficult for keystroke loggers to intercept the passwords. Browsers like Chrome that set up sand boxes can also help but as Golton explains, some of these attacks are Javascript based and so operate entirely within the browser. The safest thing to do is to use a separate machine for banking and other high value transactions but not many people are going to do that. At the least, it may pay to quit your browser and start a new instance before doing any banking in order to get rid of stray Javascript.
Golton’s final note is that six of the nine attacks can be blocked with the correct use of a good password manager. He recommends RoboForm (Windows), 1Password (Mac OS X), KeePass (free), or LastPass for those looking for a cloud-based solution. You can read his reasons for these recommendations here.