WebApp Sec mailing list archives
Re: Summary: Growing Bad Practice with Login Forms
From: <athena () buyukada co uk>
Date: Fri, 30 Jul 2004 08:30:23 +0100 (BST)
Something like a database of unique graphics and you know you're secure if the site has hashed your password and chosen "your" graphic to put in the upper corner of every page?This sort of solution only would help a people who are already conscientious. How many people would want to go to the extra trouble of establishing such an image and then remembering the images. People who are tricked with phishing typically would fail to note that the image wasn't displayed because they more or less blindly following instructions. Heck, criminals would send fake messages saying the recipient's image was stolen and that they'd like you to come and choose a new image -- after giving your username and password of course!
As I mentioned in an earlier post, images are largely unsuitable as you'd have to use alternate text for certain browsers and the disabled. To be fair, there are an awful lot of sites out there that completely fail to cater for the non-ie user, let alone for the sightless user but using an image as well as having to add upload and storage functionality means that the site's authentication to the user cannot be used in other ways. Sometimes this isn't an issue. Certainly in the UK, pending accessibility legislation would render the image approach illegal, and litigators are already gearing up to sue here.
If people all had small images of themselves that they could upload, this would be good and obviously easily recognizable, but more people don't have them to upload. To make this work, you also have to break the login step into two steps. First, you need to identify yourself so that the image can be displayed, but before the password is entered. If you prompted for both, would the user remember that he's supposed to do this in two steps and that he should not go further, especially if the user was tricked by a phishing email that perhaps make him think something had gone wrong?
Again, using the passphrase example. On the first page the user submits their information to confirm who they are. On the second page they will perform secondary authentication but two characters will appear on the page. If the first stage authentication was correct, then the two characters will be from the user's agreed site authentication passphrase. If the first stage authentication failed, then two random characters (not part of the passphrase) will appear. If this is implemented correctly, only the user really knows if the first stage authentication worked. Cool, huh? Steve
Current thread:
- Re: Summary: Growing Bad Practice with Login Forms, (continued)
- Re: Summary: Growing Bad Practice with Login Forms athena (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Yvan Boily (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Mike Peppard (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Herman Frederick Ebeling Jr. (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Mike Peppard (Jul 29)
- Re: Summary: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 30)
- Re: Summary: Growing Bad Practice with Login Forms Murf (Jul 30)
- RE: Summary: Growing Bad Practice with Login Forms Mike Peppard (Jul 31)
- Re: Summary: Growing Bad Practice with Login Forms Jimi Thompson (Aug 01)
- Re: Summary: Growing Bad Practice with Login Forms athena (Jul 31)
- Re: Summary: Growing Bad Practice with Login Forms Stefan Paletta (Jul 31)
- Re: Growing Bad Practice with Login Forms Steve (Jul 27)
- webpage _effective_ source (was Re: Growing Bad Practice with Login Forms) Laurian Gridinoc (Jul 28)
- Re: Growing Bad Practice with Login Forms athena (Jul 28)