[WEB SECURITY] SSL does not = a secure website

Gervase Markham gerv at gerv.net
Wed Mar 29 12:40:04 EST 2006

James Strassburg wrote:
> There are additional countermeasures that a web application can
> implement.  For example, the app could have the user enter his/her
> password by clicking an onscreen keyboard or ask the user for random
> characters from their password (enter the 2nd, 4th and 10th character of
> your password).  I should state that while I've read about these I don't
> know of a web application that makes use of them.

Barclays Bank in the UK uses the latter - a five-digit numeric password,
specified in full, and a memorable word, of which you specify two
letters using dropdown lists (so you have to use the mouse).


The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list