[Cryptography] So please tell me. Why is my solution wrong?
J. Oquendo
joquendo at e-fensive.net
Wed Feb 8 15:04:04 EST 2017
On Wed, 08 Feb 2017, Theodore Ts'o wrote:
> On Tue, Feb 07, 2017 at 10:33:05PM -0800, Bill Cox wrote:
> > I just read it, and I think the main idea is clever. Show the user a
> > secret picture whenever they authenticate. This could help defend against
> > phishing attacks.
>
> My bank is doing that already, and has been doing it for, oh, two or
> three years? So it's hardly a new or novel technique.
Show user a picture of a violin where their keyword is
99.9999% likely to be (drumroll) violon. Or a picture of
a monkey where the keyword will be? Would be more effective
if they allowed the user to upload something arbitrary.
Then again, my first guess at seeing a picture of Marilyn
Monroe would be Marilyn.
My gripes with giving the user too much control over these
aspects is that it's often the user that dumbs down the
technology. E.g., using the password: "p4ssw0rd" and then
a 2FA PIN on 1111 or 1234. Would benefit organizations to
give their clients a "5-10 minute video" explaining the
need, and the benefit for security so users can understand
it versus thinking adding another breakable layer of
security will aide. E.g., so what you're giving them a
picture. I have a keystroke logger. Now what?
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama
0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463
https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
More information about the cryptography
mailing list