What stops fake password prompts?
Solution 1:
Is there anything which can make this process safer?
Yes. The user.
90% of hacking is social engineering. It's not what people think it is; some bleary eyed geek sitting in a dark basement surrounded by high caffeine content energy drinks and a seeming endless supply of Hot Pockets tapping out cryptic code on a keyboard as they somehow overcome whatever defenses you thought you had.
There are the vulnerabilities and the exploits that hackers do take advantage of and some of them are really cool (for instance, I can take control of a domain connected Windows machine simply by making the on screen keyboard launch command prompt as an admin, but that's another story for another day). However most of the hacking is how we can get people to give up the goods.
Where this applies is to be cognizant about what you're doing. The "knee-jerk reaction" to seeing a dialog box with a password is to do exactly what you are thinking right now: type in your password. What you need to do is get the habit of doing is taking a pause and asking yourself why.
-
If you're doing what you've always done and suddenly out of the blue you get a password request...ask why it's showing up now.
-
If you're installing something, ask why does it needs admin rights - it's probably legitimate, but a quick pause to mentally verify is always good (I do this when shopping too..."do I really need this thing?")
-
If you're on a website and you see a pop-up, ask why would they need that?
The key here is to take a moment and rationalize why you're entering your credentials. *You can always hit "cancel," you won't break anything, if you're not sure.
Something to consider...
Remember, most hacking is social engineering. Hackers know that most people don't want to go through the hassle of remembering different passwords for different accounts. If they can get your email address by examining cookies and then trick you into revealing a password, they now can try virtually every service (Facebook, Gmail, Twitter, etc.) to see what can be compromised.
Something more to consider...
Hacking is not about taking complete control of your system to make the mouse do crazy things or move files and folders. It's about lateral jumps, or in layman's terms: what access can I get on computer A that will give me access to computer B or system C? Hosing up your system only alerts you to their pretense which means you'll likely shut the door. They don't want that.
Solution 2:
Theoretically: nothing. I can create a dialog to mimic the authentication dialog in a few lines.
Luckily, owning root is not what it was, and there is still much that an admin user can't do: this is why Apple has implemented SIP and read-only System volumes, and authenticated permissions for apps; plus certificates and all the rest of it.