[cap-talk] Update on petname related anti-phishing work attheW3C

[Tyler Close]

On 6/27/07, Karp, Alan H <alan.karp at hp.com> wrote:
> > >  Besides, if I've got strong passwords, they were probably
> > > generated by some tool and are meaningless to me.
> >
> > Possibly still recognizable though.
>
> Actually, with my password calculator, I only recognize the hash of my
> master password but rarely get that spark of familiarity with any of the
> others.

Hmmm... OK, that indicates that passwords aren't great for spoof
recognition, so either way I should make the chrome customization a
MUST.

> > If we mask the password, then I have to make the chrome customization
> > a MUST, instead of a SHOULD, as it becomes our only spoof protection.
> > There's also the issue of how do you know you're filling out a
> > password field. It requires that the web content both presents this
> > information and that the browser understands it. Not so bad for HTML,
> > but a potential problem with all the new rich-client formats that are
> > being announced.
> >
> Hey, nothing is impossible for the person who doesn't have to do it :)
> I agree the task may be impossible without some convention for flagging
> fields that should be obscured.  Is that something you want to throw
> into the mix?

Can't. We can't make specifications for protocols or data formats. We
have to rely on what's already deployed.

All this also assumes you have only one password per site. If you have
multiple passwords, then selecting the right one from a menu becomes
tricky. I suppose in that case you could display the first character
of each in the menu. This is starting to get pretty involved. Would
having your password in cleartext at the bottom of the screen during
password selection prevent you from using this tool?

Tyler

-- 
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/

Name your trusted sites to distinguish them from phishing sites.
https://addons.mozilla.org/firefox/957/