[cap-talk] Update on petname related anti-phishing work at the W3C
Tyler Close
tyler.close at gmail.com
Thu Jun 28 17:09:27 EDT 2007
On 6/28/07, Jonathan S. Shapiro <shap at eros-os.com> wrote:
> On Thu, 2007-06-28 at 12:45 -0700, Tyler Close wrote:
>
> > A password may still show up on screen when it is first created.
> > Having a special editing mode for creating a password seems
> > potentially confusing and awkward. Do people feel this step must also
> > be more strongly protected from shoulder surfing?
>
> DEFINITELY!
>
> Tyler:
>
> I'm *very* surprised that you have headed down the wrong trail so
> completely where passwords are concerned.
Are you saying you think the status quo for the login ceremony is
superior to what I have proposed?
> It took *decades* to get
> machines to finally blind passwords consistently, and it isn't a thing
> to change lightly. Perhaps the working group really did give this change
> adequate consideration, but that isn't apparent from the discussion that
> has surfaced so far.
Currently, the proposal is merely what I am proposing the Working
Group should investigate over the coming months as a potential
recommendation. So your criticism falls on me, rather than the Working
Group as a whole.
The case for being so concerned with shoulder surfing is not clear to
me. I think protection from a remote attacker, and the usability of
the tool, are more important. Nevertheless, I'll think some more to
see if I can come up with better protection from shoulder surfing
during the password creation phase. Given that a shoulder surfer can
likely also see your fingers if he can see the bottom of your screen,
I don't know how successful this attempt will be.
Thanks for the feedback.
Tyler
--
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/
Name your trusted sites to distinguish them from phishing sites.
https://addons.mozilla.org/firefox/957/
More information about the cap-talk
mailing list