[Cryptography] Toxic Combination

Bowness, Piers piers.bowness at rsa.com
Mon Dec 1 10:54:49 EST 2014


On Sunday, November 30, 2014 4:56 PM Guido Witmond wrote:

> People need to validate the authenticity of a site before typing in their password;

Although not the best solution, this is commonly mitigated by the use of a
separate screens for user name and password entry. The secondary (SSL-protected)
password screen contains a user-selected image and phrase. If either is incorrect
or missing, the user is supposed to decline to enter their password. The assumption
is that capturing the image and phrase would be difficult for a malicious party to
intercept.

This is used in addition to being able to verify the bank's PKI and trusted CA. 

-Piers Bowness



More information about the cryptography mailing list