WebApp Sec mailing list archives
RE: Summary: Growing Bad Practice with Login Forms
From: "Mike Peppard" <mpeppard () impole com>
Date: Thu, 29 Jul 2004 09:30:56 -0400
Something like a database of unique graphics and you know you're secure if the site has hashed your password and chosen "your" graphic to put in the upper corner of every page?
This sort of solution only would help a people who are already conscientious. How many people would want to go to the extra trouble of establishing such an image and then remembering the images.
You make them, just like you make them use a PIN. I'm also talking about higher security sites. Banks and the like. For a shopping cart at "Joe's Internet automart" this makes no sense, but problems would be covered under creditcard insurance there. I'm thinking about the procedure: 1) I go to your site and check ssl is on. <Assumption is that "your site" is the site I really wanted to go to.> 2) I put in my private information. 3) You send me back a graphic. <Assumtion is that we are the only ones who know the graphic.> 4) I have to send a reply back that the graphic I see is the correct graphic. It may take a couple of trys. 5) The "good site" now knows I have the password and know the graphic. <Assumtion is that having the graphic and password makes me the owner of the graphic and password, not the phisher.> 6) I check each page for the graphic. <Assumption is that I'm safe if I see the graphic.> 7) If the graphic is wrong or disapears, I call the bank right away. <Assumption is that I care enough to do it.> It's the assumptions that bother me and how to ensure minimal damage can occur before dual verification happens. The graphic can be assigned from a large database of graphics randomly and be effective. A person confronted with a pic of children playing would be disconcerted when the reply graphic had... say... black and white blocks on a table.
Current thread:
- Re: Growing Bad Practice with Login Forms, (continued)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
- Summary: Growing Bad Practice with Login Forms athena (Jul 27)
- Re: Summary: Growing Bad Practice with Login Forms Ivan Andres Hernandez Puga (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms David Telfer (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms Rogan Dawes (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms athena (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Yvan Boily (Jul 28)
- Summary: Growing Bad Practice with Login Forms athena (Jul 27)
- RE: Summary: Growing Bad Practice with Login Forms Mike Peppard (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Herman Frederick Ebeling Jr. (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Mike Peppard (Jul 29)
- Re: Summary: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 30)
- Re: Summary: Growing Bad Practice with Login Forms Murf (Jul 30)
- RE: Summary: Growing Bad Practice with Login Forms Mike Peppard (Jul 31)
- Re: Summary: Growing Bad Practice with Login Forms Jimi Thompson (Aug 01)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
- Re: Summary: Growing Bad Practice with Login Forms athena (Jul 31)
- Re: Summary: Growing Bad Practice with Login Forms Stefan Paletta (Jul 31)
- Re: Growing Bad Practice with Login Forms Steve (Jul 27)
- webpage _effective_ source (was Re: Growing Bad Practice with Login Forms) Laurian Gridinoc (Jul 28)
- Re: Growing Bad Practice with Login Forms athena (Jul 28)