[security] How to prevent phishing...
Shihab Hamid
shihab at gmail.com
Wed Apr 11 14:41:49 UTC 2007
Hi,
On 4/12/07, gaz_sec at hushmail.com <gaz_sec at hushmail.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> If I understand your point correctly are you referring to the fact
> that a phisher could get the passphrase from the user. This would
> not be possible because the passphrase would only be available to
> that user and the passphrase consists of 5 or more words that are
> meaningful to that user not a standard phrase that a phisher could
> easily construct.
How does the user see the passphrase before logging in? If the passphrase is
tied to the user, then on the login page, how do you show passphrase for
that user? You would need to know the username before the login screen is
presented. I'm not sure what's stopping an attacker from passing someone
else's username to get to the login screen which displays that user's
passphrase?
-Shihab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20070412/94fa1236/attachment-0002.htm>
More information about the security
mailing list