[Cryptography] Of web form passwords etc
ianG
iang at iang.org
Mon Dec 29 13:07:32 EST 2014
On 29/12/2014 16:17 pm, Dave Horsfall wrote:
> There's been a bit of discussion about this, so here's one more item to
> throw into the stew-pot.
>
> We've all see those forms where the name is pre-filled (cookies, etc), and
> you merely have to supply a password, right? All well and good, I
> suppose, as it enhances my web experience, etc.
>
> Well, I'm starting to see the opposite: password field filled in, and all
> I have to do is supply, say, my email address...
>
> Am I paranoid enough, yet? My current browser is Firefox (always updated)
> on a Mac (similarly always updated).
Firefox is probably better than you at creating, remembering, filling
than you can ever be [0]. In a fair test there would be no comparison.
The reason that Firefox is not used more in this area is probably
slowness in developing agent software to manage this whole arrangement,
also affected by conservative security thinking that prefers to replace
weaknesses in the agent security model with weaknesses in the user's
security model.
iang
[0] Indeed, Firefox should probably be using PKs to log in, which are
much better in security terms, but the design wasn't really aligned to
what we usefully want so client-cert tech is a bit fallow.
More information about the cryptography
mailing list