The threat model for website logins

One of the things that security people always say is that the first step in doing a decent security analysis is to figure out your threat model. So, what is the threat model for website logins, in other words what sort of attacks are you likely to face that you need to defend against?

My belief is that there are two or maybe three significant threats these days:

• phishing, for which the best defense is getting your users out of the habit of entering their passwords at all; either have them logged on all the time or have their browser memorize their password or both. That way actually being prompted for a password has a much better chance of raising alarm bells in the user's mind (and they might have forgotten their password, so digging it out will give them even more time to realize that something is wrong).

• compromised machines. There's no defense against these, although using one-time passwords can help mitigate the damage. But unless you're actually handling the user's money, you're unlikely to persuade users to put up with the annoyance of any one-time password scheme.

• maybe cross-site request forgery, which you can defend against in part by getting your users to log out regularly, which works best if logging in again is easy.

To bang on yesterday's issue again, you aren't protecting against any of these when you block browsers from memorizing password information for your site. The only one that comes close is compromised machines, but with them it doesn't matter whether or not the browser has the password stored; you've lost either way. At best you've forced the malicious payload to do more work, but keyloggers are not exactly difficult to find these days.

(My personal feeling is that the average website is much more at risk from phishing than from compromised machines, because phishing attacks are easier to put together and yield far more immediate and targeted results.)