WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Summary: Growing Bad Practice with Login Forms

From: <athena () buyukada co uk>
Date: Wed, 28 Jul 2004 17:15:43 +0100 (BST)
On Wednesday 28 Jul 2004 14:27, Ivan Andres Hernandez Puga wrote:



I am unable to find the post, but the suggestion of pass phrases that
the user  holds would surely help.  Showing characters x and y to a
user and getting  them to verify them against a given phrase (provided
non-electronically, by  normal post perhaps) would allow the user to
verify in her own mind that the  site is legitimate before entering
login information.


The reason I suggested characters from pass phrases was because when
designing an authentication mechanism for a private bank I realised that
unless you use alt tags for text, it isn't really accessible to the blind.
Also the pass phrase can be sent along with the PIN in the post. The
feedback I got indicated that the users had absolutely no problem adapting
to it as they thought it was just another PIN - the bank now mentions two
characters from the passphrase when they call the account holder to
confirm their identity over the phone, something they find particularly
useful.



athena () buyukada co uk wrote:

Users are stupid, unpredictable, and applications would function a
lot better without their interaction.


Perhaps intended to be tongue-in-cheek somewhat?  None of us deny the
point in  the technology is for the user.


It was meant to be tongue-in-cheek. I think Mark's Disney reference in
another post does demonstrate proof of at least the first item in that
statement though :)


David Telfer


Steve
Previous By Date Next
Previous By Thread Next

Current thread: