WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [WEB SECURITY] SSL does not = a secure website

From: Gervase Markham <gerv () gerv net>
Date: Wed, 29 Mar 2006 09:40:04 -0800
James Strassburg wrote:

There are additional countermeasures that a web application can
implement.  For example, the app could have the user enter his/her
password by clicking an onscreen keyboard or ask the user for random
characters from their password (enter the 2nd, 4th and 10th character of
your password).  I should state that while I've read about these I don't
know of a web application that makes use of them.


Barclays Bank in the UK uses the latter - a five-digit numeric password,
specified in full, and a memorable word, of which you specify two
letters using dropdown lists (so you have to use the mouse).

Gerv

-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: