[security] How to prevent phishing...
gaz_sec at hushmail.com
gaz_sec at hushmail.com
Wed Apr 11 15:33:45 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The passphrase would be stored in a session/cookie, which would be
separate from an actual login. The effect would be similar to
Amazon's welcome message, which says hello, but you are not
actually logged on.
On Wed, 11 Apr 2007 15:41:49 +0100 Shihab Hamid <shihab at gmail.com>
wrote:
>Hi,
>
>On 4/12/07, gaz_sec at hushmail.com <gaz_sec at hushmail.com> wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> If I understand your point correctly are you referring to the
>fact
>> that a phisher could get the passphrase from the user. This
>would
>> not be possible because the passphrase would only be available
>to
>> that user and the passphrase consists of 5 or more words that
>are
>> meaningful to that user not a standard phrase that a phisher
>could
>> easily construct.
>
>
>How does the user see the passphrase before logging in? If the
>passphrase is
>tied to the user, then on the login page, how do you show
>passphrase for
>that user? You would need to know the username before the login
>screen is
>presented. I'm not sure what's stopping an attacker from passing
>someone
>else's username to get to the login screen which displays that
>user's
>passphrase?
>
>-Shihab
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5
wpwEAQECAAYFAkYc/3IACgkQrR8fg3y/m1DsdAP+JFNhrR1P24sO4jgSdr3QFWyslW1j
kUxIYArggclP0LN9mO0AJmUcaO/D/f2WI7lVt85/Xi0JIwkJNwelqKOOnMeEQQsLMAlx
QiwE+EEHdo2VjTmGHyVqzM08wLRrDuGWbWSr2iEH1zt02sEbUVA3fLeUj/LjmuuawPKT
8DnQpvI=
=hDPc
-----END PGP SIGNATURE-----
--
Click for free info on online degrees and make $150K/ year
http://tagline.hushmail.com/fc/CAaCXv1WBTHbK6ufkphEoSjD1psYO5UM/
More information about the security
mailing list