Here's a somewhat naive idea for a browser anti-phish feature that might actually work, at least until phish spammers started getting really creative in various ways, sparked by yesterday's entry.

First, let's start with the twin observations that the real goal of anti-phish efforts is to avoid you entering your bank login and password anywhere except on your bank's site, and that people notice the presence of things much more easily than they notice the absence of things.

(Hence, among other things, the underwhelming success that SSL has played in stopping phishing; quick, notice that the padlock has not been shown in the URL bar. When the padlock often isn't.)

So let's take the goal as a literal thing. Have the browser remember your sensitive logins and passwords, along with the websites that they're supposed to be used on, and whenever you enter both into a form on any other website the browser pops up a big 'WHOA THERE' warning.

(For obvious reasons, the browser would store the login and password hashed and salted.)

This doesn't need website or user involvement to collect the basic information; the browser can passively build an index of sensitive logins and passwords by using the 'do not remember this field' flag that banks and other places set on their forms.

The downfall of this trick comes when phishers start prompting for your login and password using something besides simple forms, ranging from the very basic 'please email us your account information' approach through having JavaScript-based data entry instead of plain forms on their phish pages.