WebApp Sec mailing list archives
RE: Summary: Growing Bad Practice with Login Forms
From: "Robinson, Sonja" <SRobinson () HIPUSA com>
Date: Fri, 30 Jul 2004 09:39:54 -0400
This has some potential but let's say that there a five graphics that are displayed for the user to choose from. And that the other graphics are of course random graphics and all pics are placed in random order. Wouldn't it be simple to just go to this particular page a few times and see which ONE graphic keeps appearing??? At a minimum I've got a 20% chance of guessing it on the first try and the odds go up to 100% VERY quickly. Altleast with the hint question/answer you could have 1000's of choices to guess from and the users if they are smart could be something completely wacky for an answer, i.e. favorite car = red schwinn. If I've missed some ealier parts to the conversation, forgive me, as I've just started readin gthis thread. [snip]
I've seen logins that basically use this instead of PINs entirely, in
which they use either faces or other images instead of a PIN. The user has to pick their image out of the assortment provided, and the assortment changes each time, and the position of the right answer is random. I think the idea is cool, but I'm not sure users are any better at dealing with this than PINs, though studies indicate people can recall images/faces better than codes. Naturally, you'd need an out for the visually impaired. CONFIDENTIALITY NOTICE: This e-mail transmission, including any attachments to it, may contain confidential information or protected health information subject to privacy regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This transmission is intended only for the use of the recipient(s) named above. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in this transmission is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify me by reply e-mail and destroy the original transmission in its entirety without saving it in any manner.
Current thread:
- RE: Summary: Growing Bad Practice with Login Forms Robinson, Sonja (Jul 31)
- <Possible follow-ups>
- RE: Summary: Growing Bad Practice with Login Forms Mark Curphey (Aug 01)