|
osdir.com mailing list archive |
|
Subject: Re: Summary: Growing Bad Practice with Login Forms - msg#00178List: security.web-applications> I am unable to find the post, but the suggestion of pass phrases that > the user holds would surely help. Showing characters x and y to a > user and getting them to verify them against a given phrase (provided > non-electronically, by normal post perhaps) would allow the user to > verify in her own mind that the site is legitimate before entering > login information. The reason I suggested characters from pass phrases was because when designing an authentication mechanism for a private bank I realised that unless you use alt tags for text, it isn't really accessible to the blind. Also the pass phrase can be sent along with the PIN in the post. The feedback I got indicated that the users had absolutely no problem adapting to it as they thought it was just another PIN - the bank now mentions two characters from the passphrase when they call the account holder to confirm their identity over the phone, something they find particularly useful. > >> athena@xxxxxxxxxxxxxx wrote: >> >>Users are stupid, unpredictable, and applications would function a >> >>lot better without their interaction. > > Perhaps intended to be tongue-in-cheek somewhat? None of us deny the > point in the technology is for the user. It was meant to be tongue-in-cheek. I think Mark's Disney reference in another post does demonstrate proof of at least the first item in that statement though :) > > David Telfer Steve Thread at a glance:
Previous Message by Date: click to view message previewRe: Summary: Growing Bad Practice with Login FormsDavid Telfer wrote: I am unable to find the post, but the suggestion of pass phrases that the user holds would surely help. Showing characters x and y to a user and getting them to verify them against a given phrase (provided non-electronically, by normal post perhaps) would allow the user to verify in her own mind that the site is legitimate before entering login information. If the site is being MITM'ed, that is worthless. It is trivial to relay whatever the genuine server sends to the user, with him being none the wiser. David Telfer Rogan -- Rogan Dawes *ALL* messages to discard@xxxxxxxxxxxx will be dropped, and added to my blacklist. Please respond to "lists AT dawes DOT za DOT net" Next Message by Date: click to view message previewRE: Summary: Growing Bad Practice with Login Forms-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -----Original Message----- From: Mike Peppard [mailto:mpeppard@xxxxxxxxxx] Sent: Wednesday, 28 July, 2004 10:49 To: webappsec@xxxxxxxxxxxxxxxxxxxxxxx Subject: RE: Summary: Growing Bad Practice with Login Forms > In the same way that sites tell users to look for the padlock, they should > also be told to verify the certificate before blindly accepting it <snip> Certs can be faked occasionally. Not many users want to be educated about verifying a cert. (Users are predictably unpredictable/dumb/busy/don't care) > Just as when banking you may get asked for two letters from your passphrase, > the application could give you two characters from it's passphrase to let > you know that its the real deal. If the characters don't add up ... you're in trouble. Something like a database of unique graphics and you know you're secure if the site has hashed your password and chosen "your" graphic to put in the upper corner of every page? NOW that makes the most sense. And would I think should give the user the sense of security that they are looking for. My local lib. even though they "mask" the password they DON'T use a secured server. It makes me wonder why they even bother with passwords at all. Herman F. Ebeling Jr. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQQfSPR/i52nbE9vTEQK8uwCgvypTk3W2QHF0Qj6YuYQ3sfxyoGEAoPtV DE1k6kkTh0rgGlRxWXzkgusW =tAYY -----END PGP SIGNATURE----- Previous Message by Thread: click to view message previewRe: Summary: Growing Bad Practice with Login FormsDavid Telfer wrote: I am unable to find the post, but the suggestion of pass phrases that the user holds would surely help. Showing characters x and y to a user and getting them to verify them against a given phrase (provided non-electronically, by normal post perhaps) would allow the user to verify in her own mind that the site is legitimate before entering login information. If the site is being MITM'ed, that is worthless. It is trivial to relay whatever the genuine server sends to the user, with him being none the wiser. David Telfer Rogan -- Rogan Dawes *ALL* messages to discard@xxxxxxxxxxxx will be dropped, and added to my blacklist. Please respond to "lists AT dawes DOT za DOT net" Next Message by Thread: click to view message previewRE: Summary: Growing Bad Practice with Login FormsTo play the devils advocate, how many people actually take this kind of responsibility for other, far more critical matters? Many people do not behave interactively in important situations because everybody tends to specialize. I freely admit that I could not fix my car beyond changing fuses, changing oil and such, not because of ignorance, or stupidity, but rather because I would prefer to spend my time researching AI or some other more interesting topic than learning how to fasten two widgets together with a gasket. Does this mean I don't take my safety seriously when driving? I listen to my vehicle and pay attention for weird noises, and get it serviced when it, or my mechanic tells me to. Personally, I would rather my doctor spend his time reading medical journals and improving his knowledge so that he can catch whatever bizarre and rare disorder or bacteria that affects me instead of puzzling over which button to click where to attempt to understand if a connection is secure. Specialization is what has allowed us to develop the technology that we have all started to take for granted. Computer users have been trained to trust their computers by the industry for the previous 20 years. We have told them (and even though I am only 27 I include myself; I have been guilty of this when I was peddling custom software as a teenager) that computers will help them work faster, more efficiently, and safe time and money. Also we have told them that storing personal information on their computers is safe as long as there was a backup (and it was until some gomer came up with the idea of connecting everyone under the sun to the internet). Now after two decades of this behaviour we have to re-educate them to understand that personal information needs to be protected, and that they need to actually understand what their computer is doing. When you compare this to the challenges presented to the security industry by marketing and sales it is rather daunting. You have a small group of people saying "You need to learn more and work harder to make your system more secure, and stop being such a stupid user" against an ocean of software vendors, marketing teams, and profiteers saying "buy this magic bullet to protect your information and stop evil hackers and viruses with no extra effort". People do not pick the marketing people because they are dumb, they pick the marketing people because they are not being degraded, and they are not being told that they have to do extra work. I personally have no problem stomping on programmers when I am performing a code audit, or flaming network engineers when I am assisting with a VA, but only if they deny that security is an issue, or disagree (to the point of ignorance or belligerence) with a perfectly valid assessment of a vulnerability because it makes them look bad. Don't stomp on users because they have not chosen to specialize in understanding computer technology. They could probably take you to the streets in their area of specialization and think you are a chump for not understanding what seems basic or trivial to them. Regards, Yvan > -----Original Message----- > From: David Telfer [mailto:david.telfer@xxxxxxxxxxxxxxxxxx] > Sent: Wednesday, July 28, 2004 10:16 AM > To: webappsec@xxxxxxxxxxxxxxxxx > Cc: ivan.hernandez@xxxxxxxxxxxxxxxx > Subject: Re: Summary: Growing Bad Practice with Login Forms > > On Wednesday 28 Jul 2004 14:27, Ivan Andres Hernandez Puga wrote: > > > Anyway, there is no application without user. Why don't you > try to learn > > what's wrong with your poin of view instead of blaming the > 99% of non > > techie people? > > His point of view has some foundation. Your personal information is > ultimately your responsibility. A lot people are wary of > real word security > implications, card skimming and tampered ATM machines for > example. They > would not insert their bank card into an ATM machine that > looked abnormal. > > Many of the public would never check public keys or > certificates though. > Surely taking some responsibility for your own personal > information should be > assumed. > > On the other hand it is the responsibility of the site > developer to be verbose > as much as possible in security provisions. Ways to help the > "non techie > people" secure their data should be under constant development. > > I am unable to find the post, but the suggestion of pass > phrases that the user > holds would surely help. Showing characters x and y to a > user and getting > them to verify them against a given phrase (provided > non-electronically, by > normal post perhaps) would allow the user to verify in her > own mind that the > site is legitimate before entering login information. > > > athena@xxxxxxxxxxxxxx wrote: > > >>Users are stupid, unpredictable, and applications would > function a lot > > >>better without their interaction. > > Perhaps intended to be tongue-in-cheek somewhat? None of us > deny the point in > the technology is for the user. > > David Telfer > Loading Comments...
|
|
