[clug] Internet banking and browser compatibility
Martin Schwenke
martin at meltin.net
Fri Feb 13 11:02:46 GMT 2009
>>>>> "Tim" == Tim Murphy <tim at murphy.org> writes:
Tim> Community CPS used to use the icons authentication which I
Tim> found a pain to use. [...]
It is also not good security. You pick 3 icons and then they randomly
change the other 6 every so often. So a patient attacker, who knows
your username/password, can login from time to time and notice which
icons don't change... That's your 3! Then there's not many
combinations to try...
A better scheme would be to always use a fixed set of 9 icons that
includes your 3 selected icons. Then guessing would be much more
difficult.
I wrote to CPS about this and they replied with a blurb about how this
technology increased security... :-(
Note that I didn't originally notice this problem - someone mentioned
it during a talk at an AUUG conference a few years ago.
peace & happiness,
martin
More information about the linux
mailing list