[WEB SECURITY] Jakob Nielsen's Stop Password Masking

Schmidt, Chris cschmidt at servicemagic.com
Wed Jul 15 13:37:38 EDT 2009


You could propose something for this as a project for OWASP Summer of
Code. Just a thought.

-----Original Message-----
From: Jim Manico [mailto:jim at manico.net] 
Sent: Tuesday, July 14, 2009 8:24 PM
To: gaz Heyes
Cc: Martin, Christopher; Bil Corry; Chris Varenhorst; Matt Parsons;
websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Jakob Nielsen's Stop Password Masking

I bet we could leverage existing secure token technologies and  
infrastructure to implement this design. The users gain significant  
usability without increasing risk. What's not to like? Get some VC and  
start a company around this. :)

Jim Manico

On Jul 14, 2009, at 12:02 PM, gaz Heyes <gazheyes at gmail.com> wrote:

> I've been following this thread with interest and here is Nielsen  
> once again stirring up controversy without providing any  
> alternative. So I thought I'd chip in with a possible solution....
>
> Key switching
>
> It could work in two ways with a hardware/software device, basically  
> the idea is that you type a keyword on screen which is replaced with  
> an alternative representation of the keys. So "password" becomes  
> 1L&d5xs@ visually "password" is displayed but once you've finished  
> typing and the letters are obscured either on form submit or after a  
> delay the keys are switched. This could be done either with the real  
> password, so you associate your key switching device with the  
> website and key switch keyword and the password is replaced or the  
> keys switched automatically when typing a password in a random order  
> that is defined once by the device. Obviously this would be no use  
> for MiM attacks but stopping shoulder surfing and improving  
> usability it would be good. Thoughts?

------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list