The threat model for website logins
One of the things that security people always say is that the first step in doing a decent security analysis is to figure out your threat model. So, what is the threat model for website logins, in other words what sort of attacks are you likely to face that you need to defend against?
My belief is that there are two or maybe three significant threats these days:
- phishing, for which the best defense is getting your users out of the
habit of entering their passwords at all; either have them logged on
all the time or have their browser memorize their password or both.
That way actually being prompted for a password has a much better
chance of raising alarm bells in the user's mind (and they might
have forgotten their password, so digging it out will give them
even more time to realize that something is wrong).
- compromised machines. There's no defense against these, although
using one-time passwords can help mitigate the damage. But unless
you're actually handling the user's money, you're unlikely to
persuade users to put up with the annoyance of any one-time
- maybe cross-site request forgery, which you can defend against in part by getting your users to log out regularly, which works best if logging in again is easy.
To bang on yesterday's issue again, you aren't protecting against any of these when you block browsers from memorizing password information for your site. The only one that comes close is compromised machines, but with them it doesn't matter whether or not the browser has the password stored; you've lost either way. At best you've forced the malicious payload to do more work, but keyloggers are not exactly difficult to find these days.
(My personal feeling is that the average website is much more at risk from phishing than from compromised machines, because phishing attacks are easier to put together and yield far more immediate and targeted results.)