Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Should login pages be protected by SSL?

from [Glenn Euloth] Network Security [Permanent Link]
Subject: RE: Should login pages be protected by SSL?
Date: Wed, 22 Jun 2005 09:56:19 -0300 
So, what we're really saying is that the biggest hurdle to decent security
is not the technology but the education of the masses who use it.  Which
means we have to make the security totally transparent to the user or solve
the unsolvable problem of user education.

With this in mind would it make more sense to develop systems that do not
let the user choose their password?  This way, they can't use the same
password for everything they do on the web.  The only problem then is
managing the passwords.

For a geek like myself, I can figure out how to easily make use of Bruce
Schneier's Password Safe or another tool like it and ensure that I have a
different password for all my web surfing needs but grandma is going to have
a very difficult time with a setup like this.

Starts to bring me back to that old programming adage.  "Build a system that
an idiot can use and only an idiot will want to use it."

Regards, Glenn Euloth



There may not be an advantage in breaking into that account but 
consider that when grandmother registered at the web site she 
probably picked the same userid and password and password hint as 
she has at lots of other sites ..


And SSL does nothing to mitigate that risk.

-Steve

--
Steve Shah
sshah@RisingEdge.org



SSL mitigates the risk of being able to sniff the userid/password from the

unsecured wireless WAPs.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [summary] Re: Should login pages be protected by SSL?, Steve Shah
Next by Date:  Re: Should login pages be protected by SSL?, Dave Ockwell-Jenner
Previous by Thread:  RE: Should login pages be protected by SSL?, Cowles, Robert D.
Next by Thread:  Re: Should login pages be protected by SSL?, Bob Radvanovsky
Indexes:  [Date] [Thread] [Top] [All Lists]