Jeffrey Hutzelman <jhutz at cmu.edu> writes: >How do you expect users to remember not to give away their passwords when >they can't be bothered to remember to wash their hands or look both ways >before crossing a street? site_password = HMAC( user_password || 128-bit salt, site_URL ); (or assorted variations thereof, there are a pile of password-fortification techniques around, and all manner of free and low-cost commercial products that implement them). That way even if they hand their password over a phisher, it won't do the phisher much good. At this point I expect the peanut gallery to jump in with the usual million or so corner cases where this won't work, but the important point is that the above would help most of the people most of the time, and in particular it'd help the demographic who are most likely to fall into phisher traps, i.e. non- technical people for whom the standard "the salt isn't portable across my eight computers and three laptops and therefore your scheme isn't worth trying" objection doesn't apply. Peter.
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.