-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The passphrase would be stored in a session/cookie, which would be separate from an actual login. The effect would be similar to Amazon's welcome message, which says hello, but you are not actually logged on.
On Wed, 11 Apr 2007 15:41:49 +0100 Shihab Hamid <[EMAIL PROTECTED]> wrote: >Hi, > >On 4/12/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> If I understand your point correctly are you referring to the >fact >> that a phisher could get the passphrase from the user. This >would >> not be possible because the passphrase would only be available >to >> that user and the passphrase consists of 5 or more words that >are >> meaningful to that user not a standard phrase that a phisher >could >> easily construct. > > >How does the user see the passphrase before logging in? If the >passphrase is >tied to the user, then on the login page, how do you show >passphrase for >that user? You would need to know the username before the login >screen is >presented. I'm not sure what's stopping an attacker from passing >someone >else's username to get to the login screen which displays that >user's >passphrase? > >-Shihab -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkYc/3IACgkQrR8fg3y/m1DsdAP+JFNhrR1P24sO4jgSdr3QFWyslW1j kUxIYArggclP0LN9mO0AJmUcaO/D/f2WI7lVt85/Xi0JIwkJNwelqKOOnMeEQQsLMAlx QiwE+EEHdo2VjTmGHyVqzM08wLRrDuGWbWSr2iEH1zt02sEbUVA3fLeUj/LjmuuawPKT 8DnQpvI= =hDPc -----END PGP SIGNATURE----- -- Click for free info on online degrees and make $150K/ year http://tagline.hushmail.com/fc/CAaCXv1WBTHbK6ufkphEoSjD1psYO5UM/ _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
