An interesting suggestion. I think Ian's suggestion of using something that is easier remembered than a number or letter is good. The UI issue is partially addressed by having a 'what's this' pop-up above it the first few times a user-profile submits a form.
I like the password-hash concept [Blake and others] implemented within the browser (see a password field and at form-post time hash in the user [or autofill] entered password with teh site base-domain) as an anti-phishing measure though the problem is that it locks a user into a specific browser and probably specific installation of the browser as well.
Indeed; this problem can be avoided by not doing it at form-submission time, but instead making the user perform a specific action to fill in the field with the password. If this is based on a master password, and all copies of Firefox use the same algorithm, it's portable to any installation of Firefox without reconfiguration.
I've blogged about this; search my blog for "PwdHash".
Gerv
_______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
