Ok, I see your point, and I need to talk to my bank. There is a slight wrinkle on their part in that my userid is more like an additional password that is unique across customers. It is associated with my account number but never displayed anywhere so without a keylogger no one should be able to find it. It is on an SSL page. It has the usual restrictions on length and mixed character sets. -----Original Message----- From: development-bounces@drupal.org [mailto:development-bounces@drupal.org] On Behalf Of Darren Oh Sent: Wednesday, November 07, 2007 10:56 AM To: development@drupal.org Subject: Re: [development] OpenId open to phishing attacks. My point is that a picture and phrase would provide a false sense of security, since a phishing site could request it on the user's behalf, display it, collect the user's input, and post it to the OpenID server. By providing a false sense of security, the picture could be worse than doing nothing. The only possible defense is for the user to notice that the page has been decrypted. A simple warning not to submit the form unless the secure icon is shown in the browser would be the best security. On Nov 7, 2007, at 10:41 AM, Walt Daniels wrote:
I have no doubt that the hackers will find ways around almost anything we (or anybody else) does to prevent phishing. There is no possibility of overestimating the stupidity of our users in ignoring all the best that we can offer. My proposal is a simple to implement step in the right direction (supplemented by server side heavier duty security). It doesn't change the user behavior too much to be annoying. One can always make things more secure by introducing more and more complication.
-- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.15.24/1115 - Release Date: 11/7/2007 9:21 AM