The issue of trust and the “social engineering", Is considered the fastest way to break a system. Below are 2 ways in which users' passwords can be stolen.
The first way is simple but it will help users to realize how exposed their passwords (facebook and not only) are to eyea of anyone, if they trust their browser.
Yes yes I know, you get bored of logging in every time etc etc. I feel you! But I prefer to login "manually", than the day will come when I will not be able to login because the password will be wrong!
1 Way:
Read here: WebBrowserPassView.
As you can see is a tool, which does something very simple. It helps to reset passwords from all the browsers existing in the user's system.
Enter a webpage, enter your password (eg facebook), and let the browser save them (ask, and you will accept!).
Now download WebBrowsePassView and run the application (no installation required). If you really let the browser save the data, then WebBrowserPassView will find and display these items! (and the details of what other accounts you have on other websites).
"So what; what about this? No one saw them.”
Yes no one saw them… now!
Similar code, like that of the above program, can be integrated into a program that starts running on the computer (through various techniques, phishing attacks, etc.). The program does what was mentioned above and why not νει it sends your data to someone specific who rubs his hands with satisfaction… And because this program "ran" in the background, you did not understand anything!
Conclusion:
1. Anyone who has access to the user's computer can access his / her passwords.
2. A malicious attacker who gains access to the user's system, can simply and easily get all his passwords (with various script which contain similar code to that of WebBrowserPassView).
And all this just because… you trust the browser!
2 Way:
The second way is slightly more complex, but the result is the same.
The attack is based on creation website-clone of another website, and the attacker makes sure that it "runs" on some server (for example, even if it is 111.111.111.111 and we "run" a facebook clone on it). The attacker must make sure to direct the victim to the page 111.111.111.111 and convince the user that this page is indeed facebook. If it succeeds, then as soon as the user attempts to login, the credentials are immediately sent to the attacker. Maybe this is too hard to trick someone, as the address bar (with 111.111.111.111 ) is "eye-popping"!
However, the attack becomes more complex (do not complain! No pain, no gain!).
On every computer, be it linux or windows, there is a file called “hosts”. It is the first file that the browser will check (before it even checks DNS Servers), to locate the IP address corresponding to the domain name typed by the user. So the malicious user only needs to have access to the computer for 30 seconds to write the following to the file:
www.facebook.com 111.111.111.111
Then when the user opens the browser, they type www.facebook.com, which "reads" 111.111.111.111 and the user is taken to a page that looks like facebook, but it's not facebook! And of course he doesn't understand anything since the address bar continues to write "www.facebook.com". He logs in and...you have been hacked!
I hope you are convinced that someone with access to your computer and a minimum of time available can do a lot.
That's why your computer and your eyes!
@anonymous I highly recommend it dude. The AES (Advanced Encryption Standard) algorithm it uses guarantees the security of your passwords. If I'm not mistaken 1password moves to a 256-bit key, which makes it even more powerful, but will cost a bit in performance.
For those who have never heard of AES, you can see exactly how it works here: https://www.youtube.com/watch?v=J10GALwsPYM
What is your opinion about the 1password program that encrypts AES codes in the program and you have them all there without your browser having to do it?