RE: Summary: Growing Bad Practice with Login Forms

["Herman Frederick Ebeling Jr." <hfebelingjr () lycos com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- -----Original Message-----
From: Mike Peppard [mailto:mpeppard () impole com]
Sent: Wednesday, 28 July, 2004 10:49
To: webappsec () lists securityfocus com
Subject: RE: Summary: Growing Bad Practice with Login Forms


> In the same way that sites tell users to look for the padlock, they should

> also be told to verify the certificate before blindly accepting it <snip>

Certs can be faked occasionally.
Not many users want to be educated about verifying a cert.
(Users are predictably unpredictable/dumb/busy/don't care)

> Just as when banking you may get asked for two letters from your
passphrase,
> the application could give you two characters from it's passphrase to let
> you know that its the real deal. If the characters don't add up ... you're
in trouble.

Something like a database of unique graphics and you know you're secure if
the site has hashed your password and chosen "your" graphic to put in the
upper corner of every page?

NOW that makes the most sense.  And would I think should give the user the sense
of security that they are looking for.
 My local lib. even though they "mask" the password they DON'T use a secured
server.  It makes me wonder why they even
bother with passwords at all.

Herman F. Ebeling Jr.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQQfSPR/i52nbE9vTEQK8uwCgvypTk3W2QHF0Qj6YuYQ3sfxyoGEAoPtV
DE1k6kkTh0rgGlRxWXzkgusW
=tAYY
-----END PGP SIGNATURE-----