An interesting suggestion. I think Ian's suggestion of using something that is easier remembered than a number or letter is good. The UI issue is partially addressed by having a 'what's this' pop-up above it the first few times a user-profile submits a form.
I like the password-hash concept [Blake and others] implemented within the browser (see a password field and at form-post time hash in the user [or autofill] entered password with teh site base-domain) as an anti-phishing measure though the problem is that it locks a user into a specific browser and probably specific installation of the browser as well. _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security