Re: Summary: Growing Bad Practice with Login Forms

[<athena () buyukada co uk>]

> > Something like a database of unique graphics and you know you're
> > secure if the site has hashed your password and chosen "your" graphic
> > to put in the upper corner of every page?
>
> This sort of solution only would help a people who are already
> conscientious.  How many people would want to go to the extra trouble
> of establishing such an image and then remembering the images.  People
> who are tricked with phishing typically would fail to note that the
> image wasn't displayed because they more or less blindly following
> instructions. Heck, criminals would send fake messages saying the
> recipient's image was stolen and that they'd like you to come and
> choose a new image -- after giving your username and password of
> course!

As I mentioned in an earlier post, images are largely unsuitable as you'd
have to use alternate text for certain browsers and the disabled. To be
fair, there are an awful lot of sites out there that completely fail to
cater for the non-ie user, let alone for the sightless user but using an
image as well as having to add upload and storage functionality means that
the site's authentication to the user cannot be used in other ways.
Sometimes this isn't an issue. Certainly in the UK, pending accessibility
legislation would render the image approach illegal, and litigators are
already gearing up to sue here.
> If people all had small images of themselves that they could upload,
> this would be good and obviously easily recognizable, but more people
> don't have them to upload.
>
> To make this work, you also have to break the login step into two
> steps. First, you need to identify yourself so that the image can be
> displayed, but before the password is entered.  If you prompted for
> both, would the user remember that he's supposed to do this in two
> steps and that he should not go further, especially if the user was
> tricked by a phishing email that perhaps make him think something had
> gone wrong?

Again, using the passphrase example. On the first page the user submits
their information to confirm who they are. On the second page they will
perform secondary authentication but two characters will appear on the
page. If the first stage authentication was correct, then the two
characters will be from the user's agreed site authentication passphrase.
If the first stage authentication failed, then two random characters (not
part of the passphrase) will appear. If this is implemented correctly,
only the user really knows if the first stage authentication worked.
Cool, huh?

Steve