[email protected] wrote:
I'm beginning to suspect that some web developers are starting to use two-page login forms deliberately to prevent their users from using password managers on the assumption they won't be secure, rather than leaving it up to their users to ensure they store their passwords securely. In which case, even if something is done in the browser which works most of the time, those web developers may make sure they hit the conditions for it to not work for their site and the whole cycle would start again...
Some of it may be a way of defending against passwords "remembered" (whether in the browser, as with Mozilla, or in the way that IE keeps stuff in the Windows registry). Given the antipathy of some developers towards Mozilla (including the long-time problem of improper sniffing methodologies, looking explicitly for "Firefox", rather than "Gecko", and sometimes causing for Gecko browsers that aren't Firefox), I think there's some number of developers that aren't really thinking much about the Mozilla method of handling passwords.
However, I think developers are more focused on defending against script-based authentication (presumed to be malicious). By requiring multiple user inputs, then it's far more difficult for an attacker to present credentials -- not only valid credentials, but a way of defending against brute-force guessing. And this kind of methodology achieves a lot of the same kind of benefit as CAPTCHA, without annoying users with CAPTCHA images that are difficult to decipher.
I've noticed that multiple-stage logins seem to be most common with financial institutions.
I haven't checked it, but my suspicion is that a tool such as KeePass might have capacity of scripting a multiple-stage login.
Smith _______________________________________________ support-seamonkey mailing list [email protected] https://lists.mozilla.org/listinfo/support-seamonkey
