WebApp Sec mailing list archives
Re: Summary: Growing Bad Practice with Login Forms
From: "David Wall @ Yozons, Inc." <dwall () yozons com>
Date: Wed, 28 Jul 2004 09:46:14 -0700
Something like a database of unique graphics and you know you're secure if the site has hashed your password and chosen "your" graphic to put in the upper corner of every page?
This sort of solution only would help a people who are already conscientious. How many people would want to go to the extra trouble of establishing such an image and then remembering the images. People who are tricked with phishing typically would fail to note that the image wasn't displayed because they more or less blindly following instructions. Heck, criminals would send fake messages saying the recipient's image was stolen and that they'd like you to come and choose a new image -- after giving your username and password of course! If people all had small images of themselves that they could upload, this would be good and obviously easily recognizable, but more people don't have them to upload. To make this work, you also have to break the login step into two steps. First, you need to identify yourself so that the image can be displayed, but before the password is entered. If you prompted for both, would the user remember that he's supposed to do this in two steps and that he should not go further, especially if the user was tricked by a phishing email that perhaps make him think something had gone wrong? Unfortunately, most good security prospects seem to only work with people who care about security. And if people care so little about security, is there really a security problem to them? When criminals break into homes routinely, people bought locks and in higher crime areas, they even bar their windows. Scams have been with humans since the beginning because most people are easy targets and scams are not as common as security people would have us believe. David
Current thread:
- RE: Growing Bad Practice with Login Forms, (continued)
- RE: Growing Bad Practice with Login Forms Lane Weast (Jul 27)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
- Summary: Growing Bad Practice with Login Forms athena (Jul 27)
- Re: Summary: Growing Bad Practice with Login Forms Ivan Andres Hernandez Puga (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms David Telfer (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms Rogan Dawes (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms athena (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Yvan Boily (Jul 28)
- Summary: Growing Bad Practice with Login Forms athena (Jul 27)
- RE: Summary: Growing Bad Practice with Login Forms Mike Peppard (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Herman Frederick Ebeling Jr. (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Mike Peppard (Jul 29)
- Re: Summary: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 30)
- Re: Summary: Growing Bad Practice with Login Forms Murf (Jul 30)
- RE: Summary: Growing Bad Practice with Login Forms Mike Peppard (Jul 31)
- Re: Summary: Growing Bad Practice with Login Forms Jimi Thompson (Aug 01)
- Re: Summary: Growing Bad Practice with Login Forms athena (Jul 31)
- Re: Summary: Growing Bad Practice with Login Forms Stefan Paletta (Jul 31)
- Re: Growing Bad Practice with Login Forms Steve (Jul 27)
- webpage _effective_ source (was Re: Growing Bad Practice with Login Forms) Laurian Gridinoc (Jul 28)