[WEB SECURITY] SSL does not = a secure website

Gervase Markham gerv at gerv.net
Wed Mar 29 12:40:04 EST 2006


James Strassburg wrote:
> There are additional countermeasures that a web application can
> implement.  For example, the app could have the user enter his/her
> password by clicking an onscreen keyboard or ask the user for random
> characters from their password (enter the 2nd, 4th and 10th character of
> your password).  I should state that while I've read about these I don't
> know of a web application that makes use of them.

Barclays Bank in the UK uses the latter - a five-digit numeric password,
specified in full, and a memorable word, of which you specify two
letters using dropdown lists (so you have to use the mouse).

Gerv

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list