> Consider instead that passwords are only entered into some special and distinct OS controlled textbox
No, I understood this already. This is the easy technological solution which doesn't actually solve the real problem: some users (or really all users some of the time) will always be willing to enter their password into some other box which looks nothing like the one that webpages are prevented from mimicking.
Hell, I did it myself today: I entered my work password into an intranet site which was showing a "certificate error", even though in past experience this site had valid certs. Could that have actually been someone who broke into the intranet and set up a honeypot? Absolutely. But I needed the resource that was behind that password box in order to do my job, so I entered my password anyways.
>some users (or really all users some of the time) will always be willing to enter their password into some other box which looks nothing like the one that webpages are prevented from mimicking.
Phishing sites mimick real user sites because that greatly increases the success rate. You can always find someone who will do something, the important question is how often.
I don't think we should just throw up our hands and say user problem are unsolvable with technology. Good UX solves user problems, compare an AppleII to a iPad.
We have two problems: 1. it is easy to mimic password prompts, 2. it is hard for computers to tell who is legitimate and should be sent the password. This solution solves both.
No, I understood this already. This is the easy technological solution which doesn't actually solve the real problem: some users (or really all users some of the time) will always be willing to enter their password into some other box which looks nothing like the one that webpages are prevented from mimicking.
Hell, I did it myself today: I entered my work password into an intranet site which was showing a "certificate error", even though in past experience this site had valid certs. Could that have actually been someone who broke into the intranet and set up a honeypot? Absolutely. But I needed the resource that was behind that password box in order to do my job, so I entered my password anyways.