Sidd,
> For those who only use one computer and who have a fixed IP address, > the IP security is also available (George?) I prefer to keep my options open. You never know what can happen. Besides, I'm on dial-up for the moment and I can't be sure if the next time the IP will be even in the same domain. > It doesn't matter George! It is just one half of the > puzzle, the Password is the SECRET part of the key... The PIK is > there to defeat the trojans, the password secures your account, just > as it does in e-gold and the others. If your PIK becomes public, and you log-in from a public computer (or from some computer you don't have complete control over), anyone could have a key-logger read your password. If your PIK is not public but you log-in a number of times from the same (public) computer, anyone could monitor your activity and put together all elements of your PIK. So, once you log-in from a public computer, the security is compromised. Guys, never do that! There is not enough security for such a case. There can't be! You must never log-in from the same (public) location more than once / twice, or at least change the PIK after one or two public log-ins. As I said before, if the PIK is known, the password is too short and can be cracked. So, you can't make you PIK public because the security is compromised. >> If the password could be longer (the maximum set to at least 20 characters), >> things would be entirely different. > Ok, that's no problem to change... Only in that case, the security of Pecunix will be above the others, not before that. Most people don't use IP lock or PGP log-in, they use passwords - it's easier. > Actually, we would need to have 3 PIKs and 3 passwords... Why use passwords anyway, Sidd? You can't expect users to remember three passwords (with those random numbers included), that is beside any other passwords they have to remember. So, they either save them on their computers, or print them. In any case, a pair of PIKs is even better (than PIK + password) since none of them can be intercepted by key-loggers. However, there is no need for a pair, just an increase in the number of elements of a PIK (to 30, for example), and also an increase in the number of combo-boxes in the log-in form (to 8, for example). Here is another possible improvement. The combo-boxes are text, and therefore can be intercepted, so why not replace them with pictures too. One way is for the log-in form to ask for 8 random characters from the (30 characters long) PIK, and to have a pool of characters (like a small keyboard) from where users can dragg-and-dropped characters. This method is much easier to use than to navigate through the combo-boxes. Here is a possible layout: -------------------------------------------------------- Pecunix log-in Drag-and-drop on the following (numbered) spots, from the pool of letters, each letter from your PIK associated with the number displayed in the drop spots. Drag from this pool of letters: "A" "B" "C" "D" "E" "F" "G" "H" "I" "J" ... Drop a letter from the pool on each of the following spots: "28" "03" "14" "09" 18"" "29" "20" "11" -------------------------------------------------------- Another possible improvement is for the pool of characters to be randomly displayed, not in the same (alphabetical) order every time. Of course, you can have passwords too. The main idea is that I think this is easier and safer than to have combo-boxes and edit-boxes, since you want to be able to log-in from public places. The good thing about this is that no logger is supposed to have any possible way to monitor in what order you drag-and-drop the letters (as long as the pool and the drop zone are randomly ordered), because the letter-number associations are not cached on disk. But you're still not safe if some dude can hook the image drops (which image was dropped on what spot) and you still log-in many times from the same public computer. > Its too complicated and too limiting George... imagine, if people > judge the current Pecunix system as complicated, how much more so is > "bedazzled"? Well, I said it's probably interesting only for those who need extreme security (and never log-in from any other place than the personal computer). George Hara ------------------------------------------------------- Xnet scaneaza automat toate mesajele impotriva virusilor folosind RAV AntiVirus. Xnet automatically scans all messages for viruses using RAV AntiVirus. Nota: RAV AntiVirus poate sa nu detecteze toti virusii noi sau toate variantele lor. Va rugam sa luati in considerare ca exista un risc de fiecare data cand deschideti fisiere atasate si ca MobiFon nu este responsabila pentru nici un prejudiciu cauzat de virusi. Disclaimer: RAV AntiVirus may not be able to detect all new viruses and variants. Please be aware that there is a risk involved whenever opening e-mail attachments to your computer and that MobiFon is not responsible for any damages caused by viruses. --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
