[OpenID] [security] Another Client-side Password Phishing Mitigation Idea

James A. Donald jamesd at echeque.com
Wed Jan 24 02:42:31 UTC 2007


     --
Tan, William wrote:
 > If I understand you correctly, you're criticizing its
 > usability or inconvenience. As much as I hate yet
 > another type of pop-up dialog, I base my idea on the
 > paper that Mike referred to:
 >     http://www.simson.net/ref/2006/CHI-security-toolba
 >     r-final.pdf
 > which showed that with modal warning dialogs users
 > exercised more caution and phishing was less
 > successful.

Modal warning dialogs rapidly train users to click
through, so their effectiveness is only temporary.

You really have to include a "never show be this
!@#$%^&* dialog again option, which will invariably be
selected.

Every browser in existence is supposed to remember
passwords.  Therefore on my home machine, I should never
have to enter passwords, and therefore should be immune
from being phished.  But in fact I continually have to
enter passwords, and would be no better off if every
time I had to enter a password, I had to click though a
"be careful" dialog.

     --digsig
          James A. Donald
      6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
      2N0cInFglbELGZv/xcGGrJJbl9chLVH6/s/22G7/
      4omd1OCHXspaDCDanH6cRb4StpE2XqsLfEzMHO8rb



More information about the general mailing list