[Cryptography] Of web form passwords etc

ianG iang at iang.org
Mon Dec 29 13:07:32 EST 2014

On 29/12/2014 16:17 pm, Dave Horsfall wrote:
> There's been a bit of discussion about this, so here's one more item to
> throw into the stew-pot.
> We've all see those forms where the name is pre-filled (cookies, etc), and
> you merely have to supply a password, right?  All well and good, I
> suppose, as it enhances my web experience, etc.
> Well, I'm starting to see the opposite: password field filled in, and all
> I have to do is supply, say, my email address...
> Am I paranoid enough, yet?  My current browser is Firefox (always updated)
> on a Mac (similarly always updated).

Firefox is probably better than you at creating, remembering, filling 
than you can ever be [0].  In a fair test there would be no comparison.

The reason that Firefox is not used more in this area is probably 
slowness in developing agent software to manage this whole arrangement, 
also affected by conservative security thinking that prefers to replace 
weaknesses in the agent security model with weaknesses in the user's 
security model.


[0]   Indeed, Firefox should probably be using PKs to log in, which are 
much better in security terms, but the design wasn't really aligned to 
what we usefully want so client-cert tech is a bit fallow.

More information about the cryptography mailing list