Re: Summary: Growing Bad Practice with Login Forms

["David Wall @ Yozons, Inc." <dwall () yozons com>]

> Something like a database of unique graphics and you know you're secure if
> the site has hashed your password and chosen "your" graphic to put in the
> upper corner of every page?

This sort of solution only would help a people who are already
conscientious.  How many people would want to go to the extra trouble of
establishing such an image and then remembering the images.  People who are
tricked with phishing typically would fail to note that the image wasn't
displayed because they more or less blindly following instructions. Heck,
criminals would send fake messages saying the recipient's image was stolen
and that they'd like you to come and choose a new image -- after giving your
username and password of course!

If people all had small images of themselves that they could upload, this
would be good and obviously easily recognizable, but more people don't have
them to upload.

To make this work, you also have to break the login step into two steps.
First, you need to identify yourself so that the image can be displayed, but
before the password is entered.  If you prompted for both, would the user
remember that he's supposed to do this in two steps and that he should not
go further, especially if the user was tricked by a phishing email that
perhaps make him think something had gone wrong?

Unfortunately, most good security prospects seem to only work with people
who care about security.  And if people care so little about security, is
there really a security problem to them?  When criminals break into homes
routinely, people bought locks and in higher crime areas, they even bar
their windows.  Scams have been with humans since the beginning because most
people are easy targets and scams are not as common as security people would
have us believe.

David