[144282] in cryptography@c2.net mail archive
Re: Solving password problems one at a time, Re: The password-reset
daemon@ATHENA.MIT.EDU (Ed Gerck)
Tue Feb 24 13:24:51 2009
Date: Mon, 23 Feb 2009 14:40:43 -0800
From: Ed Gerck <edgerck@nma.com>
To: "James A. Donald" <jamesd@echeque.com>
CC: cryptography@metzdowd.com
In-Reply-To: <49A321FA.8040807@echeque.com>
James A. Donald wrote:
> No one is going to check for the correct three letter
> combination, because it is not part of the work flow, so
> they will always forget to do it.
Humans tend to notice patterns. We easily notice mispelngs. Your
experience may be different but we found out in testing that
three-letters can be made large enough to become a visually noticeable
pattern.
Reversing the point, the fact that a user can ignore the three-letters
is useful if the user forgets them. The last thing users want is one
more hassle. The idea is to give users a way to allay spoofing concerns,
if they so want and are motivated to, or learn to be motivated. Mark
Twain's cat was afraid of the cold stove.
Cheers,
Ed Gerck
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
