[clug] Internet banking and browser compatibility

Martin Schwenke martin at meltin.net
Fri Feb 13 11:02:46 GMT 2009

>>>>> "Tim" == Tim Murphy <tim at murphy.org> writes:

    Tim> Community CPS used to use the icons authentication which I
    Tim> found a pain to use.  [...]

It is also not good security.  You pick 3 icons and then they randomly
change the other 6 every so often.  So a patient attacker, who knows
your username/password, can login from time to time and notice which
icons don't change... That's your 3!  Then there's not many
combinations to try...

A better scheme would be to always use a fixed set of 9 icons that
includes your 3 selected icons.  Then guessing would be much more

I wrote to CPS about this and they replied with a blurb about how this
technology increased security...  :-(

Note that I didn't originally notice this problem - someone mentioned
it during a talk at an AUUG conference a few years ago.

peace & happiness,

More information about the linux mailing list