At Wed, 04 Mar 2009 05:34:15 +1300, Peter Gutmann wrote: > > Jeffrey Hutzelman <jhutz at cmu.edu> writes: > > >How do you expect users to remember not to give away their passwords when > >they can't be bothered to remember to wash their hands or look both ways > >before crossing a street? > > site_password = HMAC( user_password || 128-bit salt, site_URL ); > > (or assorted variations thereof, there are a pile of password-fortification > techniques around, and all manner of free and low-cost commercial products > that implement them). That way even if they hand their password over a > phisher, it won't do the phisher much good. > > At this point I expect the peanut gallery to jump in with the usual million or > so corner cases where this won't work, but the important point is that the > above would help most of the people most of the time, and in particular it'd > help the demographic who are most likely to fall into phisher traps, i.e. non- > technical people for whom the standard "the salt isn't portable across my > eight computers and three laptops and therefore your scheme isn't worth > trying" objection doesn't apply. Peter, While I think this general class of solutions has some utility, but the difficulty is that it requires some UI mechanism to stop the phisher from convincing the user to type their password into a dialog which goes directly to the phisher rather than being hashed. I'm unaware of any general solution to that problem, and this is not really a corner case but rather the main case. -Ekr
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.