On Thu, 1 Jun 2006, Jeffrey Altman wrote:
> Solving the phishing problem requires changes on many levels:

I agree.

> (1) Some form of secure chrome for browsers must be deployed where
>     the security either comes from a "trusted desktop" or by per-user
>     customizations that significantly decrease the chances that the
>     attacker can fake the web site experience.

What do you think of the various trusted-path ideas that have been
proposed?  In particular i'm curious what you think of the solution
i currently favour (the customized toolbar button), but some of the
others certainly seem promising (such as PwdHash's special hotkey
at the beginning of a password).

> (2) Reducing the number of accounts and passwords (or other identifiers)
>     that end users need to remember.

Password hashing is one way to deal with this.  In Passpet's case,
the password is generated by hashing a master secret with a label
that you provide for each site.

> (3) Secure mechanisms must be developed for handling enrollment and
>     password changing.

With Passpet, you would click the button to fill in the password on a
new account registration form, which generates a unique password for
the site.  To change your password, you would go to the site's account
settings page, click the button to fill in your old password, edit the
site label, then click the button again to get a new password.

Does that address the issues you had in mind, or were you thinking of
other situations?

-- ?!ng

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to