WebApp Sec mailing list archives

RE: Summary: Growing Bad Practice with Login Forms

From: "Robinson, Sonja" <SRobinson () HIPUSA com>
Date: Fri, 30 Jul 2004 09:39:54 -0400

This has some potential but let's say that there a five graphics that are
displayed for the user to choose from.  And that the other graphics are of
course random graphics and all pics are placed in random order.  Wouldn't it
be simple to just go to this particular page a few times and see which ONE
graphic keeps appearing???  At a minimum I've got a 20% chance of guessing
it on the first try and the odds go up to 100% VERY quickly.  Altleast with
the hint question/answer you could have 1000's of choices to guess from and
the users if they are smart could be something completely wacky for an
answer, i.e. favorite car = red schwinn.  

If I've missed some ealier parts to the conversation, forgive me, as I've
just started readin gthis thread.

[snip]

I've seen logins that basically use this instead of PINs entirely, in

which
they use either faces or other images instead of a PIN.  The user has to
pick their image out of the assortment provided, and the assortment changes
each time, and the position of the right answer is random.  I think the idea
is cool, but I'm not sure users are any better at dealing with this than
PINs, though studies indicate people can recall images/faces better than
codes.  Naturally, you'd need an out for the visually impaired.
CONFIDENTIALITY NOTICE: This e-mail transmission, including any attachments
to it, may contain confidential information or protected health information
subject to privacy regulations such as the Health Insurance Portability and
Accountability Act of 1996 (HIPAA). This transmission is intended only for
the use of the recipient(s) named above. If you are not the intended
recipient, or a person responsible for delivering it to the intended
recipient, you are hereby notified that any disclosure, copying,
distribution or use of any of the information contained in this transmission
is STRICTLY PROHIBITED. If you have received this transmission in error,
please immediately notify me by reply e-mail and destroy the original
transmission in its entirety without saving it in any manner.

Current thread:

RE: Summary: Growing Bad Practice with Login Forms Robinson, Sonja (Jul 31)
- <Possible follow-ups>
- RE: Summary: Growing Bad Practice with Login Forms Mark Curphey (Aug 01)