This article on osxdaily.com discusses an issue in Mavericks and Yosemite where the user is prompted for passwords "at random times".
In the article, the following is claimed.
[The scenario where an attacker prompts you for your password] may be very unlikely, but it’s just good practice to not trust random password prompts, regardless of where they come from.
I think this claim makes a lot of sense, even if it perhaps glosses over details. To me it seems strange that the timing of a prompt should matter: If you are doing icloud stuff and you are prompted for a password you may think this ok, but if prompted at a "random time" you may become suspicious. I think this is a good mindset from a practical point of view, but I think this does probably not correspond to the security model that the developers had in mind.
My hypothesis is that no application should be able to generate a prompt with an "official icon" in the top left area, like the lock, or the icon for icloud.
I am not too worried about verifying the authenticity of a prompt from a browser (which is mentioned in the article), as I feel confident that I recognise such prompts. Any icon can be embedded in a website, but one can find out that the icon/prompt is then part of the website. My main concern is an attacker that already has access to your computer, but not administrator privileges.
My question is: Is there any practical way for a user to know that a password prompt is authentic? Should one rely on these icons?
Related
This Q&A on superuser asks for methods to verify the validity of any window in a programmatic way, but I am looking for something more practical.
ICloud Password prompt (possible duplicate)
