Re: Separated User ID and Password

Sat, 19 Mar 2016 00:39:56 -0700 

NFN Smith wrote:

[email protected] wrote:

I'm beginning to suspect that some web developers are starting to use
two-page login forms deliberately to prevent their users from using
password managers on the assumption they won't be secure, rather than
leaving it up to their users to ensure they store their passwords
securely. In which case, even if something is done in the browser which
works most of the time, those web developers may make sure they hit the
conditions for it to not work for their site and the whole cycle would
start again...


Some of it may be a way of defending against passwords "remembered"
(whether in the browser, as with Mozilla, or in the way that IE keeps
stuff in the Windows registry). Given the antipathy of some developers
towards Mozilla (including the long-time problem of improper sniffing
methodologies, looking explicitly for "Firefox", rather than "Gecko",
and sometimes causing for Gecko browsers that aren't Firefox), I think
there's some number of developers that aren't really thinking much about
the Mozilla method of handling passwords.

However, I think developers are more focused on defending against
script-based authentication (presumed to be malicious). By requiring
multiple user inputs, then it's far more difficult for an attacker to
present credentials -- not only valid credentials, but a way of
defending against brute-force guessing.  And this kind of methodology
achieves a lot of the same kind of benefit as CAPTCHA, without annoying
users with CAPTCHA images that are difficult to decipher.

I've noticed that multiple-stage logins seem to be most common with
financial institutions.

I haven't checked it, but my suspicion is that a tool such as KeePass
might have capacity of scripting a multiple-stage login.

Smith


Here are the same questions that I asked Ed Mullen about Last Pass(with 
no reply so far), after reading their description:



        --  Not clear if it addresses the two-part login problem. Do 
you know?



        --  Will it pick up existing login data from Password Manager, 
or will I have to reenter all from scratch?


Thanks for your suggestion.
Larry S.
_______________________________________________
support-seamonkey mailing list
[email protected]
https://lists.mozilla.org/listinfo/support-seamonkey























					Reply via email to