WebApp Sec mailing list archives
Re: Summary: Growing Bad Practice with Login Forms
From: "David Wall @ Yozons, Inc." <dwall () yozons com>
Date: Thu, 29 Jul 2004 16:45:21 -0700
You make them, just like you make them use a PIN. I'm also talking about higher security sites.
That's fine, but people forget their PIN all the time. They will also forget their graphic, which means that another graphic may not key them in that something's gone awry.
I'm thinking about the procedure: 1) I go to your site and check ssl is on. <Assumption is that "your site" is the site I really wanted to go to.> 2) I put in my private information. 3) You send me back a graphic.
In general, this works best if the user doesn't have to put in the PIN yet since if they don't do step 1 (and most users won't) they will give their info to phishing attackers who won't care about the graphic.
<Assumtion is that we are the only ones who know the graphic.> 4) I have to send a reply back that the graphic I see is the correct graphic. It may take a couple of trys.
Is the number of tries because the other site may give you wrong images first, to see if you can pick out the right one? I've seen logins that basically use this instead of PINs entirely, in which they use either faces or other images instead of a PIN. The user has to pick their image out of the assortment provided, and the assortment changes each time, and the position of the right answer is random. I think the idea is cool, but I'm not sure users are any better at dealing with this than PINs, though studies indicate people can recall images/faces better than codes. Naturally, you'd need an out for the visually impaired.
It's the assumptions that bother me and how to ensure minimal damage can occur before dual verification happens.
Well, we all know how assumptions will get you! A classic one is the "forgotten password Q&A." Nearly ever site offers some sort of reset function like this, with either open ended questions or multiple choice answers with fixed questions. The problem is these become a sort of de facto password bypass, meaning that if the user has chosen a good password (iLUV2e8blueBareez) but a bad Q&A (last 4 digits of my ssn, mother's maiden name, etc.), the bad Q&A becomes the weakest link. Therefore, it's best if the Q&A is related to something that makes it harder to trick, such as rather than just answering the question, you also have to receive an email with a special code inside before you can begin (so at least the thief has to have access to your email before they can begin the Q&A attack). Anyway, the your idea is out there already. Does anybody have any experience using such a picture? If the process replaced an image with a phrase the user chose, would it be easier and better accommodate visually impaired folks? For example, I might choose something boring like "My son was born in March". It would be true, easily verifiable by me, yet nearly impossible for phisher to attack. And you could increase security like you suggested by using this to create a second level of "what you know" type of security, in which multiple choice of "which is my phrase" could be asked, and the phrase I actually selected may not appear right away. In the end, though, this has to be more work than is necessary. People might put up with it, but I doubt it. David
Current thread:
- Summary: Growing Bad Practice with Login Forms, (continued)
- Summary: Growing Bad Practice with Login Forms athena (Jul 27)
- Re: Summary: Growing Bad Practice with Login Forms Ivan Andres Hernandez Puga (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms David Telfer (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms Rogan Dawes (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms athena (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Yvan Boily (Jul 28)
- Summary: Growing Bad Practice with Login Forms athena (Jul 27)
- RE: Summary: Growing Bad Practice with Login Forms Mike Peppard (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Herman Frederick Ebeling Jr. (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Mike Peppard (Jul 29)
- Re: Summary: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 30)
- Re: Summary: Growing Bad Practice with Login Forms Murf (Jul 30)
- RE: Summary: Growing Bad Practice with Login Forms Mike Peppard (Jul 31)
- Re: Summary: Growing Bad Practice with Login Forms Jimi Thompson (Aug 01)
- Re: Summary: Growing Bad Practice with Login Forms athena (Jul 31)
- Re: Summary: Growing Bad Practice with Login Forms Stefan Paletta (Jul 31)
- Re: Growing Bad Practice with Login Forms Steve (Jul 27)
- webpage _effective_ source (was Re: Growing Bad Practice with Login Forms) Laurian Gridinoc (Jul 28)
- Re: Growing Bad Practice with Login Forms athena (Jul 28)