Hi,<br><br><div><span class="gmail_quote">On 4/12/07, <b class="gmail_sendername"><a href="mailto:gaz_sec@hushmail.com">gaz_sec@hushmail.com</a></b> <<a href="mailto:gaz_sec@hushmail.com">gaz_sec@hushmail.com</a>> wrote:
</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA1<br><br>If I understand your point correctly are you referring to the fact
<br>that a phisher could get the passphrase from the user. This would<br>not be possible because the passphrase would only be available to<br>that user and the passphrase consists of 5 or more words that are<br>meaningful to that user not a standard phrase that a phisher could
<br>easily construct.</blockquote><div><br>How does the user see the passphrase before logging in? If the passphrase is tied to the user, then on the login page, how do you show passphrase for that user? You would need to know the username before the login screen is presented. I'm not sure what's stopping an attacker from passing someone else's username to get to the login screen which displays that user's passphrase?
<br><br>-Shihab<br></div></div><br>