[OpenID] [security] Another Client-side Password Phishing Mitigation Idea

James A. Donald jamesd at echeque.com
Wed Jan 24 02:42:31 UTC 2007

Tan, William wrote:
 > If I understand you correctly, you're criticizing its
 > usability or inconvenience. As much as I hate yet
 > another type of pop-up dialog, I base my idea on the
 > paper that Mike referred to:
 >     http://www.simson.net/ref/2006/CHI-security-toolba
 >     r-final.pdf
 > which showed that with modal warning dialogs users
 > exercised more caution and phishing was less
 > successful.

Modal warning dialogs rapidly train users to click
through, so their effectiveness is only temporary.

You really have to include a "never show be this
!@#$%^&* dialog again option, which will invariably be

Every browser in existence is supposed to remember
passwords.  Therefore on my home machine, I should never
have to enter passwords, and therefore should be immune
from being phished.  But in fact I continually have to
enter passwords, and would be no better off if every
time I had to enter a password, I had to click though a
"be careful" dialog.

          James A. Donald

More information about the general mailing list