Hi, On 4/12/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If I understand your point correctly are you referring to the fact that a phisher could get the passphrase from the user. This would not be possible because the passphrase would only be available to that user and the passphrase consists of 5 or more words that are meaningful to that user not a standard phrase that a phisher could easily construct.
How does the user see the passphrase before logging in? If the passphrase is tied to the user, then on the login page, how do you show passphrase for that user? You would need to know the username before the login screen is presented. I'm not sure what's stopping an attacker from passing someone else's username to get to the login screen which displays that user's passphrase? -Shihab
_______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
