Re: Summary: Growing Bad Practice with Login Forms

["David Wall @ Yozons, Inc." <dwall () yozons com>]

> You make them, just like you make them use a PIN. I'm also talking about
> higher security sites.

That's fine, but people forget their PIN all the time.  They will also
forget their graphic, which means that another graphic may not key them in
that something's gone awry.

> I'm thinking about the procedure:
> 1) I go to your site and check ssl is on.
> <Assumption is that "your site" is the site I really wanted to go to.>
> 2) I put in my private information.
> 3) You send me back a graphic.

In general, this works best if the user doesn't have to put in the PIN yet
since if they don't do step 1 (and most users won't) they will give their
info to phishing attackers who won't care about the graphic.

> <Assumtion is that we are the only ones who know the graphic.>
> 4) I have to send a reply back that the graphic I see is the
> correct graphic. It may take a couple of trys.

Is the number of tries because the other site may give you wrong images
first, to see if you can pick out the right one?

I've seen logins that basically use this instead of PINs entirely, in which
they use either faces or other images instead of a PIN.  The user has to
pick their image out of the assortment provided, and the assortment changes
each time, and the position of the right answer is random.  I think the idea
is cool, but I'm not sure users are any better at dealing with this than
PINs, though studies indicate people can recall images/faces better than
codes.  Naturally, you'd need an out for the visually impaired.

> It's the assumptions that bother me and how to ensure minimal damage
> can occur before dual verification happens.

Well, we all know how assumptions will get you!

A classic one is the "forgotten password Q&A."  Nearly ever site offers some
sort of reset function like this, with either open ended questions or
multiple choice answers with fixed questions.  The problem is these become a
sort of de facto password bypass, meaning that if the user has chosen a good
password (iLUV2e8blueBareez) but a bad Q&A (last 4 digits of my ssn,
mother's maiden name, etc.), the bad Q&A becomes the weakest link.
Therefore, it's best if the Q&A is related to something that makes it harder
to trick, such as rather than just answering the question, you also have to
receive an email with a special code inside before you can begin (so at
least the thief has to have access to your email before they can begin the
Q&A attack).

Anyway, the your idea is out there already.  Does anybody have any
experience using such a picture?  If the process replaced an image with a
phrase the user chose, would it be easier and better accommodate visually
impaired folks?  For example, I might choose something boring like "My son
was born in March".  It would be true, easily verifiable by me, yet nearly
impossible for phisher to attack.  And you could increase security like you
suggested by using this to create a second level of "what you know" type of
security, in which multiple choice of "which is my phrase" could be asked,
and the phrase I actually selected may not appear right away.  In the end,
though, this has to be more work than is necessary.  People might put up
with it, but I doubt it.

David