RE: Should login pages be protected by SSL?

[Glenn Euloth <eulothg () hfx eastlink ca>]

So, what we're really saying is that the biggest hurdle to decent security
is not the technology but the education of the masses who use it.  Which
means we have to make the security totally transparent to the user or solve
the unsolvable problem of user education.

With this in mind would it make more sense to develop systems that do not
let the user choose their password?  This way, they can't use the same
password for everything they do on the web.  The only problem then is
managing the passwords.

For a geek like myself, I can figure out how to easily make use of Bruce
Schneier's Password Safe or another tool like it and ensure that I have a
different password for all my web surfing needs but grandma is going to have
a very difficult time with a setup like this.

Starts to bring me back to that old programming adage.  "Build a system that
an idiot can use and only an idiot will want to use it."

Regards, Glenn Euloth


> > > There may not be an advantage in breaking into that account but 
> > > consider that when grandmother registered at the web site she 
> > > probably picked the same userid and password and password hint as 
> > > she has at lots of other sites ..
> >
> > And SSL does nothing to mitigate that risk.
> >
> > -Steve
> >
> > --
> > Steve Shah
> > sshah () RisingEdge org
>
> SSL mitigates the risk of being able to sniff the userid/password from the
unsecured wireless WAPs.