[Cryptography] [FORGED] Re: So please tell me. Why is my solution wrong?
James A. Donald
jamesd at echeque.com
Thu Feb 9 02:05:38 EST 2017
> > Will it work? To answer that question, hold down the Ctrl and alt
> > keys, and press the del key. Now imagine that with a background
> > image unique to each person's computer.
On 2/9/2017 12:11 PM, Peter Gutmann wrote:
> Now imagine someone running a real-world user study to see if it actually
> works in practice rather than just in theory. Given all the studies that
> have been done on this sort of thing in the past showing that it's not very
> effective in practice, I would assume by simple extrapolation that the
> answer remains "no", but I'm happy to be proven wrong.
How would you run a real world user study?
The problem with today's users are that they are trained to be phished,
because they are trained to enter their passwords into a wide variety of
UIs.
To untrain them, you need to stop people from being asked to enter their
passwords into a wide variety of UIs - you not only need to provide a
password user interface to a zero knowledge password proof, where both
parties prove knowledge of the password without giving it away, the
state has to prohibit its subjects, or perhaps the business its
employees, or perhaps Clinton her co-conspirators, from using any
software or service that uses any other interface to enter a password.
To give this a fair test requires an ecosystem of software and services
that uses the system, and some substantial compulsion and coercion to
exclude anything outside that ecosystem.
Anything less is not a fair test.
More information about the cryptography
mailing list