Closed Bug 362580 Opened 18 years ago Closed 17 years ago

Better Security, Password Management and Anti-phishing Technology.

Categories

(Toolkit :: Password Manager, enhancement)

Product:
Toolkit
Component:
Password Manager
Version:
1.8 Branch
Platform:
x86
Windows XP
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED WONTFIX

People

(Reporter: BijuMailList, Unassigned)

References

(Depends on 1 open bug)

Details

Attachments

(4 files)

login_presave.png
43.48 KB, image/png
Details
passoptions.png
12.86 KB, image/png
Details
login_postsave.png
43.62 KB, image/png
Details
passoptions.xul
2.70 KB, application/vnd.mozilla.xul+xml
Details 
There are method to improve online security like bug 361915
but it needs co-operation from webmaster.
so mean while we could try to improve security by minor changes in browser.

Here is my suggestion

* Implement Domain Verification Code (DVC).
  - an new method to improve Anti-phishing Technology.

* Dont push user to save password in browser PM.
  - we know with out MasterPassword PM is not secure.
  - So why we drag user to do password save?

* CapsLock ON indicator
  - How many times you may have type Password with CapsLock ON
  - And wondered what happened?


Let me load my slides as attachment
Attached image login_presave.png 

    
    

    
  

      
      
      
      

        Attached image
          
        passoptions.png
      

    


  

    
    

    
  

      
      
      
      

        Attached image
          
        login_postsave.png
      

    


  

    
    

    
  

      
      
      
      

        Attached file
          
        passoptions.xul
      

    


  

    
    

    
  
AFAIK most people dont use browser PM to store Bank Uid/Password
Also current Anti-phishing Technology can only identify 
a Phishing site if somebody reported it.
So how do user quickly find/ensure, the login form where he reached is
a phishing site or genuine site where he already registered?


There is a way to do that.

Credit card companies use "Card Security Code"
or commonly know as CVC2 (aka CVV2) code
http://en.wikipedia.org/wiki/Card_Security_Code
to improve online security.
this a special code, ie a 3 or 4 digit number
the banker has given for a card when issued


The proposed "Domain Verification Code (DVC)" is something similar 
(PS: the name can be changed if it is too techie)
ie, a code given by a user to a site, which he only know.


eg:-
I may give all my bank sites code 911
for all wiki sites 411
all web mail sites 611

This code will appear in background at the end of 
form password field.
There is now way the web server/page can read this code
user may also choose a preferred color/bgcolor for the code


Here is how it should appear to user 

Scenario 1:  a new login for this browser

* Say he want to login first time at
  https://www.google.com/accounts/

* User see page like 
  login_presave.png  attachment 247257 [details]
  ie, 
  - if CapsLock is ON there is an indicator
  - there is a "save" Icon at the end of password field.

* User enter uid/password 

* Click password field's "save" Icon.
  (only if he wish to configure save PM or DVC)

* user see passoptions.png, attachment 247258 [details]

* configure options, if he need to save password 
  he do that too

* create DVC if he wish, say "7890" with red in yellow bgcolor

* and close passoption screen

* now the form field changes to accommodate his change
  see login_postsave.png attachment 247259 [details]

* and he submit the form
  
* for the case user did not used passoptions screen
  PM will also never prompt to save password.


Scenario 2: user return to login page after already saved password


* User see page like 
  login_postsave.png attachment 247259 [details]
  - DVC appear as "7890" with red in yellow bgcolor
  - user feel confident about the site, and proceed login

 
Scenario 3: user return to login page, after configuring DVC, but not saved password
  
* user see 
  - DVC appear as "7890" with red in yellow bgcolor
  - uid/Password is blank


Scenario 4: user return to login page, after not saving pwd or config DVC
* it appears as if Scenario 1


I have also attached a demo passoption screen 
see passoptions.xul attachment 247260 [details]

    
  
Severity: normal → enhancement

    
    

    
  
Caps lock stuff is bug 259059.  Please try to keep bugs focused on a single issue.

    
  
Depends on: 259059

    
    

    
  
I agree about the password options. The more options, the more able the user will be able to keep their passwords safe, as shown in bug 360493. I'm all for this enhancement, with all the hype going around about needed restrictions for PM.


    
    

    
  
First off, this bug is way too general and non-specific. In the future, as Jesse said in comment #6, please keep the scope of a bug as narrow as possible.

That said, the proposal mockup in attachment 247258 [details] isn't something I can ever see us implementing as a default. A popup window with a dozen things to select from is extremely confusing. This kind of thing might be useful as an extension for those who want the extra control, though.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WONTFIX

    
    

    
  
Yikes.  Go google on "paralysis of choice" for many explanations of why this would be dead wrong as a default.
Status: RESOLVED → VERIFIED
Product: Firefox → Toolkit

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: