WebApp Sec mailing list archives
RE: Summary: Growing Bad Practice with Login Forms
From: "Herman Frederick Ebeling Jr." <hfebelingjr () lycos com>
Date: Wed, 28 Jul 2004 12:30:22 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -----Original Message----- From: Mike Peppard [mailto:mpeppard () impole com] Sent: Wednesday, 28 July, 2004 10:49 To: webappsec () lists securityfocus com Subject: RE: Summary: Growing Bad Practice with Login Forms
In the same way that sites tell users to look for the padlock, they should
also be told to verify the certificate before blindly accepting it <snip>
Certs can be faked occasionally. Not many users want to be educated about verifying a cert. (Users are predictably unpredictable/dumb/busy/don't care)
Just as when banking you may get asked for two letters from your
passphrase,
the application could give you two characters from it's passphrase to let you know that its the real deal. If the characters don't add up ... you're
in trouble. Something like a database of unique graphics and you know you're secure if the site has hashed your password and chosen "your" graphic to put in the upper corner of every page? NOW that makes the most sense. And would I think should give the user the sense of security that they are looking for. My local lib. even though they "mask" the password they DON'T use a secured server. It makes me wonder why they even bother with passwords at all. Herman F. Ebeling Jr. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQQfSPR/i52nbE9vTEQK8uwCgvypTk3W2QHF0Qj6YuYQ3sfxyoGEAoPtV DE1k6kkTh0rgGlRxWXzkgusW =tAYY -----END PGP SIGNATURE-----
Current thread:
- Re: Growing Bad Practice with Login Forms, (continued)
- Re: Growing Bad Practice with Login Forms Darragh O'Brien (Jul 27)
- RE: Growing Bad Practice with Login Forms Lane Weast (Jul 27)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
- Summary: Growing Bad Practice with Login Forms athena (Jul 27)
- Re: Summary: Growing Bad Practice with Login Forms Ivan Andres Hernandez Puga (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms David Telfer (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms Rogan Dawes (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms athena (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Yvan Boily (Jul 28)
- Summary: Growing Bad Practice with Login Forms athena (Jul 27)
- RE: Summary: Growing Bad Practice with Login Forms Mike Peppard (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Herman Frederick Ebeling Jr. (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Mike Peppard (Jul 29)
- Re: Summary: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 30)
- Re: Summary: Growing Bad Practice with Login Forms Murf (Jul 30)
- RE: Summary: Growing Bad Practice with Login Forms Mike Peppard (Jul 31)
- Re: Summary: Growing Bad Practice with Login Forms Jimi Thompson (Aug 01)
- Re: Summary: Growing Bad Practice with Login Forms athena (Jul 31)
- Re: Summary: Growing Bad Practice with Login Forms Stefan Paletta (Jul 31)
- Re: Growing Bad Practice with Login Forms Steve (Jul 27)