Re: Public Access Terminals and Account Integrity.

We could always add a seperate part to the login where you pick an item (previously chosen via your preferences) from a group of items. The items would be shuffled every page load so your item would always be in different positions rendering a keylogger and sniffer ineffective. Seems pretty high security that no other websites includes banks even bother with ;) It could still be a fun side project though.

For those who can't picture it. Say we pick 10 words. Each word is displayed on the login page as a radio button. The radio buttons values are randomly picked and the correct one (associated with the correct word) is stored on the server in the user session. When the user picks one it compares there password and word with the session to see if they match. Sniffing would do no good because the values sent back and forth each time would change and have no meaning. A slightly more complex twist would be for each user to have a rule like I pick the word starting with an a, you pick the one with two ee's etc. Anyway it all seems a bit of overkill but that doesn't mean it wouldn't be a fun project! ;)

___________
Eric Hodges

Comment on Re: Public Access Terminals and Account Integrity.

Replies are listed 'Best First'.

Re^2: Public Access Terminals and Account Integrity.
by ptum (Priest) on Apr 17, 2006 at 15:40 UTC

Actually, Bank of America does this as an anti-phishing measure. They have you associate some text with one of several dozen images, and then they display your text with the image before they ask for your login password. While not foolproof (for some values of 'fool') this seems to be a reasonable security measure, and it might be a fun feature to implement, even if it isn't really necessary. :)

No good deed goes unpunished. -- (attributed to) Oscar Wilde

[reply]


Pathologically Eclectic Rubbish Lister
	PerlMonks