silky wrote:
On Sun, Feb 22, 2009 at 6:33 AM, Ed Gerck edge...@nma.com wrote:
(UI in use since 2000, for web access control and authorization) After you
enter a usercode in the first screen, you are presented with a second screen
to enter your password. The usercode is a mnemonic 6-character
James A. Donald wrote:
No one is going to check for the correct three letter
combination, because it is not part of the work flow, so
they will always forget to do it.
Humans tend to notice patterns. We easily notice mispelngs. Your
experience may be different but we found out in testing
On Tue, Feb 24, 2009 at 8:30 AM, Ed Gerck edge...@nma.com wrote:
[snip]
Thanks for the comment. The BofA SiteKey attack you mention does not work
for the web access scheme I mentioned because the usercode is private and
random with a very large search space, and is always sent after SSL starts
silky wrote:
On Tue, Feb 24, 2009 at 8:30 AM, Ed Gerck edge...@nma.com wrote:
[snip]
Thanks for the comment. The BofA SiteKey attack you mention does not work
for the web access scheme I mentioned because the usercode is private and
random with a very large search space, and is always sent
On Tue, Feb 24, 2009 at 12:23 PM, Ed Gerck edge...@nma.com wrote:
[snip]
What usercode? The point you are missing is that there are 2^35 private
usercodes and you have no idea which one matches the email address that you
want to sent your phishing email to.
What you're missing is that it
Aloha!
Ian G wrote:
However I think it is not really efficient at this stage to insist on
secure programming for submission implementations. For the simple
reason that there are 42 submissions, and 41 of those will be thrown
away, more or less. There isn't much point in making the 41
On Tue, 17 Feb 2009, James Hughes wrote:
I find this conversation off the point. Consider other trades like
woodworking. There is no FAQ that can be created that would be applicable to
building a picture frame, dining room table or a covered bridge. A FAQ for
creating a picture frame would be
On Sat, 21 Feb 2009, Peter Gutmann wrote:
This points out an awkward problem though, that if you're a commercial vendor
and you have a customer who wants to do something stupid, you can't afford not
to allow this. While my usual response to requests to do things insecurely is
If you want to
On Feb 24, 2009, at 6:22 AM, Joachim Strömbergson wrote:
Aloha!
Ian G wrote:
However I think it is not really efficient at this stage to insist on
secure programming for submission implementations. For the simple
reason that there are 42 submissions, and 41 of those will be thrown
away,
Hello all,
I'm working on a presentation about cryptography to give to the Open
Web Application Security Project (OWASP). The reason why I'm giving
it is that I've seen web developers doing crypto a lot lately, and
they seem to be making some naive mistakes, like using ECB mode for
multi-block
Travis travis+ml-cryptogra...@subspacefield.org writes:
I'm working on a presentation about cryptography to give to the Open
Web Application Security Project (OWASP).
[...]
In addition, I'm curious about:
Which hashes are currently vulnerable to length-extension attacks. If
I recall Bruce
you enter a usercode in the first screen, you are presented with a
second screen to enter your password. The usercode is a mnemonic
6-character code such as HB75RC (randomly generated, you receive from
the server upon registration). Your password is freely choosen by you
upon registration.That
12 matches
Mail list logo