[OpenID] [security] Another Client-side Password Phishing Mitigation Idea
James A. Donald
jamesd at echeque.com
Wed Jan 24 02:42:31 UTC 2007
--
Tan, William wrote:
> If I understand you correctly, you're criticizing its
> usability or inconvenience. As much as I hate yet
> another type of pop-up dialog, I base my idea on the
> paper that Mike referred to:
> http://www.simson.net/ref/2006/CHI-security-toolba
> r-final.pdf
> which showed that with modal warning dialogs users
> exercised more caution and phishing was less
> successful.
Modal warning dialogs rapidly train users to click
through, so their effectiveness is only temporary.
You really have to include a "never show be this
!@#$%^&* dialog again option, which will invariably be
selected.
Every browser in existence is supposed to remember
passwords. Therefore on my home machine, I should never
have to enter passwords, and therefore should be immune
from being phished. But in fact I continually have to
enter passwords, and would be no better off if every
time I had to enter a password, I had to click though a
"be careful" dialog.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
2N0cInFglbELGZv/xcGGrJJbl9chLVH6/s/22G7/
4omd1OCHXspaDCDanH6cRb4StpE2XqsLfEzMHO8rb
More information about the general
mailing list