The issue of trust and the “social engineering", Is considered the fastest way to break a system. Below are 2 ways in which users' passwords can be stolen.
The first way is simple but it will help users to realize how exposed their passwords (facebook and not only) are to eyea of anyone, if they trust their browser.
Yes yes I know, you get bored of logging in every time etc etc. I feel you! But I prefer to login "manually", than the day will come when I will not be able to login because the password will be wrong!
1 Way:
Read here: WebBrowserPassView.
As you can see it is one tool, which does something very simple. It helps in resetting passwords from all browsers present in the user's system.
Enter a webpage, enter your password (eg facebook), and let the browser save them (ask, and you will accept!).
Now download WebBrowsePassView and run the application (no installation required). If you really let the browser save the data, then WebBrowserPassView will find and display these items! (and the details of what other accounts you have on other websites).
"So what; what about this? No one saw them.”
Yes no one saw them… now!
Similar codes, like the one aboveletter, they can be integrated into a program that starts running on the computer (through various techniques, phishing attacks, etc.). The program does what was mentioned above and why not... it sends your details to someone specific who rubs his hands with satisfaction... And because this program was "running" in the background, you didn't understand a thing!
Conclusion:
1. Anyone who has access to the user's computer can access his / her passwords.
2. A malicious attacker who gains access to the user's system can easily and easily get all his passwords (with various scripts containing similar code to WebBrowserPassView).
And all this just because… you trust the browser!
2 Way:
The second way is slightly more complex, but the result is the same.
The attack is based on the creation of a website-clone of another website, and the attacker makes sure that it "runs" on a certain server (for example, even if it is 111.111.111.111 and we "run" a facebook clone on it). The attacker must make sure to direct the victim to the page 111.111.111.111 and convince the user that this page is indeed facebook. If he succeeds, then the user as soon as he attempts to login, the credentials are immediately sent to the attacker. Maybe this is too hard to fool someone, as the address bar (with 111.111.111.111 ) is "eye-popping"!
However, the attack becomes more complex (do not complain! No pain, no gain!).
On every computer, whether linux or windows, there is a file called "hosts". It is the first file to be checked by the browser (before it even checks DNS Servers) to find the IP address corresponding to the domain name entered by the user. So the malicious user has to access the computer for just 30 seconds in order to enter the following file:
www.facebook.com 111.111.111.111
Then, when the user opens the browser, he types www.facebook.com, which "reads" 111.111.111.111 and the user is taken to a page that looks like facebook, but is not facebook! And of course he does not understand anything since the address bar continues to write "www.facebook.com". Login and… you have been hacked!
I hope you are convinced that someone with access to your computer and a minimum of time available can do a lot.
That's why your computer and your eyes!
@anonymous I highly recommend it dude. The AES (Advanced Encryption Standard) algorithm it uses guarantees the security of your passwords. If I'm not mistaken 1password moves to a 256-bit key, which makes it even more powerful, but will cost a bit in performance.
For those who have never heard of AES, you can see exactly how it works here: https://www.youtube.com/watch?v=J10GALwsPYM
What is your opinion about the 1password program that encrypts AES codes in the program and you have them all there without your browser having to do it?