Re: Summary: Growing Bad Practice with Login Forms

[Stefan Paletta <stefanp () cabal1 com>]

athena () buyukada co uk wrote/schrieb/scripsit:
> Again, using the passphrase example. On the first page the user submits
> their information to confirm who they are. On the second page they will
> perform secondary authentication but two characters will appear on the
> page. If the first stage authentication was correct, then the two
> characters will be from the user's agreed site authentication passphrase.
> If the first stage authentication failed, then two random characters (not
> part of the passphrase) will appear. If this is implemented correctly,
> only the user really knows if the first stage authentication worked.
> Cool, huh?

The attacker can act as a MITM and simply proxy the information from
the first step to the original site, thereby having it disclose the
correct string to present to the user.

-Stefan
-- 
 junior guru   SP666-RIPE     JID:stefanp () jabber de cw net    SMP@IRC