Tyler wrote:
In general, as mentioned, you should simply not enter your password on any website that is not the site the password belongs to. For my full-time
job,
employees have a Chrome extension where accidentally type your password on any website (even if it's not in a text box) you're required to reset it.
[Slightly off topic] That is an interesting approach. Obviously not applicable to us, but in a corporate setting I imagine it could be quite effective.
One thing I would worry about is the potential for timing attacks as you are now doing password comparisons against untrusted input from all over the internet with no rate limitting. I suppose that is taken into account when writing the extension though and precautions are taken.
-- bawolff