WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Summary: Growing Bad Practice with Login Forms

From: "Mike Peppard" <mpeppard () impole com>
Date: Wed, 28 Jul 2004 10:49:00 -0400
In the same way that sites tell users to look for the padlock, they should



also be told to verify the certificate before blindly accepting it <snip>


Certs can be faked occasionally.
Not many users want to be educated about verifying a cert.
(Users are predictably unpredictable/dumb/busy/don't care)


Just as when banking you may get asked for two letters from your

passphrase,

the application could give you two characters from it's passphrase to let
you know that its the real deal. If the characters don't add up ... you're

in trouble.

Something like a database of unique graphics and you know you're secure if
the site has hashed your password and chosen "your" graphic to put in the
upper corner of every page?
Previous By Date Next
Previous By Thread Next

Current thread: