Closed
Bug 362580
Opened 18 years ago
Closed 17 years ago
Better Security, Password Management and Anti-phishing Technology.
Categories
(Toolkit :: Password Manager, enhancement)
Tracking
()
VERIFIED
WONTFIX
People
(Reporter: BijuMailList, Unassigned)
References
(Depends on 1 open bug)
Details
Attachments
(4 files)
There are method to improve online security like bug 361915
but it needs co-operation from webmaster.
so mean while we could try to improve security by minor changes in browser.
Here is my suggestion
* Implement Domain Verification Code (DVC).
- an new method to improve Anti-phishing Technology.
* Dont push user to save password in browser PM.
- we know with out MasterPassword PM is not secure.
- So why we drag user to do password save?
* CapsLock ON indicator
- How many times you may have type Password with CapsLock ON
- And wondered what happened?
Let me load my slides as attachment
AFAIK most people dont use browser PM to store Bank Uid/Password
Also current Anti-phishing Technology can only identify
a Phishing site if somebody reported it.
So how do user quickly find/ensure, the login form where he reached is
a phishing site or genuine site where he already registered?
There is a way to do that.
Credit card companies use "Card Security Code"
or commonly know as CVC2 (aka CVV2) code
http://en.wikipedia.org/wiki/Card_Security_Code
to improve online security.
this a special code, ie a 3 or 4 digit number
the banker has given for a card when issued
The proposed "Domain Verification Code (DVC)" is something similar
(PS: the name can be changed if it is too techie)
ie, a code given by a user to a site, which he only know.
eg:-
I may give all my bank sites code 911
for all wiki sites 411
all web mail sites 611
This code will appear in background at the end of
form password field.
There is now way the web server/page can read this code
user may also choose a preferred color/bgcolor for the code
Here is how it should appear to user
Scenario 1: a new login for this browser
* Say he want to login first time at
https://www.google.com/accounts/
* User see page like
login_presave.png attachment 247257 [details]
ie,
- if CapsLock is ON there is an indicator
- there is a "save" Icon at the end of password field.
* User enter uid/password
* Click password field's "save" Icon.
(only if he wish to configure save PM or DVC)
* user see passoptions.png, attachment 247258 [details]
* configure options, if he need to save password
he do that too
* create DVC if he wish, say "7890" with red in yellow bgcolor
* and close passoption screen
* now the form field changes to accommodate his change
see login_postsave.png attachment 247259 [details]
* and he submit the form
* for the case user did not used passoptions screen
PM will also never prompt to save password.
Scenario 2: user return to login page after already saved password
* User see page like
login_postsave.png attachment 247259 [details]
- DVC appear as "7890" with red in yellow bgcolor
- user feel confident about the site, and proceed login
Scenario 3: user return to login page, after configuring DVC, but not saved password
* user see
- DVC appear as "7890" with red in yellow bgcolor
- uid/Password is blank
Scenario 4: user return to login page, after not saving pwd or config DVC
* it appears as if Scenario 1
I have also attached a demo passoption screen
see passoptions.xul attachment 247260 [details]
Comment 6•18 years ago
|
||
Caps lock stuff is bug 259059. Please try to keep bugs focused on a single issue.
I agree about the password options. The more options, the more able the user will be able to keep their passwords safe, as shown in bug 360493. I'm all for this enhancement, with all the hype going around about needed restrictions for PM.
Comment 8•17 years ago
|
||
First off, this bug is way too general and non-specific. In the future, as Jesse said in comment #6, please keep the scope of a bug as narrow as possible.
That said, the proposal mockup in attachment 247258 [details] isn't something I can ever see us implementing as a default. A popup window with a dozen things to select from is extremely confusing. This kind of thing might be useful as an extension for those who want the extra control, though.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WONTFIX
Comment 9•17 years ago
|
||
Yikes. Go google on "paralysis of choice" for many explanations of why this would be dead wrong as a default.
Status: RESOLVED → VERIFIED
Assignee | ||
Updated•16 years ago
|
Product: Firefox → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•