Gervase Markham wrote:
Ian G wrote:
Solving password loss is a big issue, support departments
put this as one of their biggest problems. So addressing
it at the browser is probably worthwhile.
I'm not quite sure what you mean by "solving password loss". Are you
suggesting this feature will help people to remember their password? Or
are you talking about avoiding three-strikes lockout?
Yes to both. By "solving password loss" I mean
reducing the incidence of lost passwords, both for
the user and the support department. The average
support department is facing costs in the order of
$20 per incident (+/-) and any lost password is
way more expensive if dealt with manually. In the
gold world, a lost password will cost you 1gg on
one system, and 5gg on another system. One is
undercharging and the other is charging at their
programmer rate...
(at today's price, USD $14 buys 1gg).
From that pov, I'd suggest putting a radio button next to
the password form field that turned on clear instead of
stars.
Much as I'd like to do this, I think it would scare people.
Yes, that's a big problem in trying to improve security.
In general, one way to do this is to package it with
some other benefit to that people get used to the new
system, and by the time they've done that, they've
worked out for themselves why it is more secure and how
to use it.
In general, in a lot of security work, you've just got
to do it and expect to take some bullets. In security,
amateurs talk about bit strengths and professionals
talk about body armour.
Other
options I've seen suggested are putting the last three characters typed
into the box in a light grey, to allow easy noticing and correction of
typos while making shoulder-surfing still hard.
So many ideas, so many experiments to run :)
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
