[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] SSL does not = a secure website

From: Gervase Markham <gerv@xxxxxxxx>
Subject: Re: [WEB SECURITY] SSL does not = a secure website
Date: Wed, 29 Mar 2006 09:40:04 -0800

James Strassburg wrote:
> There are additional countermeasures that a web application can
> implement.  For example, the app could have the user enter his/her
> password by clicking an onscreen keyboard or ask the user for random
> characters from their password (enter the 2nd, 4th and 10th character of
> your password).  I should state that while I've read about these I don't
> know of a web application that makes use of them.

Barclays Bank in the UK uses the latter - a five-digit numeric password,
specified in full, and a memorable word, of which you specify two
letters using dropdown lists (so you have to use the mouse).

Gerv

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

Follow-Ups:
- Re: [WEB SECURITY] SSL does not = a secure website
  - From: Evert | Collab

References:
- RE: [WEB SECURITY] SSL does not = a secure website
  - From: James Strassburg

Prev by Date: Re: [WEB SECURITY] Online Certificate of Authority
Next by Date: Re: [WEB SECURITY] SSL does not = a secure website
Previous by thread: RE: [WEB SECURITY] SSL does not = a secure website
Next by thread: Re: [WEB SECURITY] SSL does not = a secure website
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org