[Cryptography] [FORGED] Re: So please tell me. Why is my solution wrong?

[Joseph Kilcullen]

On 08-Feb-17 4:54 PM, Bill Cox wrote:
>
>
>     So, maybe if we just used a confidence image for our corporate
>     logins we'd get better results.  For example, if you worked for
>     Microsoft, then you'd see the special un-clonable Microsoft login
>     page, with a secret picture, maybe a secret color scheme, etc. 
>     Apparently, this does help, but the folks I talked to said that a
>     significant majority of workers who see their corporate login page
>     every day will _still_ enter their username and password on the
>     first form that asks for it, even with a domain name that is quite
>     different than their corporate domain name.
>
Yes, I agree with all this. I figure this solution will force the 
phishers into the Certificate Authority domain. Force them to up their 
game. Right now they don't need any TLS certificate. Also, while I agree 
with your stories I hate a good solution being dismissed because there 
are idiots out there. In my opinion proper cryptographers should see the 
simplicity of this solution. The responses I've got so far are very 
helpful because they indicate people are just not reading my paper.

They look at the picture and assume its SiteKey, which it is not!

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170208/988de8b1/attachment.html>