[Dshield] Banks Shifting Logins to Non-SSL Pages
forum at dshield.org
Tue Aug 23 18:17:47 GMT 2005
The login form doesn't need to be on the front page so the front page doesn't need to be SSL encrypted. I have seen the login form moved from a login page to the front page. The front page was then SSL encrypted to accomodate the login form and the user training. Now SSL is too much overhead for the front page traffic so it is cordoned off to the submit function. Um, why not just move the form back to an SSL encrypted login page? Customer convienience? Probably.
Another beef I have with these logins is the use of methods to prevent the user agent from storing and filling in the credentials. I had taken the more secure route of using longer, more complex, and separate passwords for each login. A local credential database assisted me in "remembering" all these various credentials. Am I to be forced to use easier to remember and fewer passwords so my fingers can be trained to enter them quickly and efficiently?
We really need to get together (customers, companies, banks, governments, individuals, everybody) to find a good standardized replacement to passwords. Biometrics, smartcards, PKI and such could be as easy or easier to use and improve security. Of course it has to be done well.
This message was sent via the web forum at
More information about the list