[Cryptography] Toxic Combination

Bowness, Piers piers.bowness at rsa.com
Mon Dec 1 10:54:49 EST 2014

On Sunday, November 30, 2014 4:56 PM Guido Witmond wrote:

> People need to validate the authenticity of a site before typing in their password;

Although not the best solution, this is commonly mitigated by the use of a
separate screens for user name and password entry. The secondary (SSL-protected)
password screen contains a user-selected image and phrase. If either is incorrect
or missing, the user is supposed to decline to enter their password. The assumption
is that capturing the image and phrase would be difficult for a malicious party to

This is used in addition to being able to verify the bank's PKI and trusted CA. 

-Piers Bowness

More information about the cryptography mailing list