[cap-talk] Update on petname related anti-phishing work attheW3C
Tyler Close
tyler.close at gmail.com
Wed Jun 27 20:20:49 EDT 2007
On 6/27/07, Karp, Alan H <alan.karp at hp.com> wrote:
> Tyler Close wrote:
> >
> > Also, seeing your password in the PII bar is part of what tells you
> > you're looking at the real PII bar and not a spoof. Does your password
> > really need more protection from shoulder surfing than your credit
> > card number gets, or other PII strings get?
> >
> I have at most a $50 liability for misuse of my credit card. Schwab
> holds me fully responsible for any use of my account accessed with my
> password.
All the more reason to have a big belly to protect the bottom of the screen? ;)
> Besides, if I've got strong passwords, they were probably
> generated by some tool and are meaningless to me.
Possibly still recognizable though.
If we mask the password, then I have to make the chrome customization
a MUST, instead of a SHOULD, as it becomes our only spoof protection.
There's also the issue of how do you know you're filling out a
password field. It requires that the web content both presents this
information and that the browser understands it. Not so bad for HTML,
but a potential problem with all the new rich-client formats that are
being announced.
Tyler
--
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/
Name your trusted sites to distinguish them from phishing sites.
https://addons.mozilla.org/firefox/957/
More information about the cap-talk
mailing list