Closed Bug 362580 Opened 18 years ago Closed 17 years ago

Better Security, Password Management and Anti-phishing Technology.


(Toolkit :: Password Manager, enhancement)

1.8 Branch
Windows XP
Not set





(Reporter: BijuMailList, Unassigned)


(Depends on 1 open bug)



(4 files)

There are method to improve online security like bug 361915
but it needs co-operation from webmaster.
so mean while we could try to improve security by minor changes in browser.

Here is my suggestion

* Implement Domain Verification Code (DVC).
  - an new method to improve Anti-phishing Technology.

* Dont push user to save password in browser PM.
  - we know with out MasterPassword PM is not secure.
  - So why we drag user to do password save?

* CapsLock ON indicator
  - How many times you may have type Password with CapsLock ON
  - And wondered what happened?

Let me load my slides as attachment
Attached image login_presave.png
Attached image passoptions.png
Attached image login_postsave.png
Attached file passoptions.xul
AFAIK most people dont use browser PM to store Bank Uid/Password
Also current Anti-phishing Technology can only identify 
a Phishing site if somebody reported it.
So how do user quickly find/ensure, the login form where he reached is
a phishing site or genuine site where he already registered?

There is a way to do that.

Credit card companies use "Card Security Code"
or commonly know as CVC2 (aka CVV2) code
to improve online security.
this a special code, ie a 3 or 4 digit number
the banker has given for a card when issued

The proposed "Domain Verification Code (DVC)" is something similar 
(PS: the name can be changed if it is too techie)
ie, a code given by a user to a site, which he only know.

I may give all my bank sites code 911
for all wiki sites 411
all web mail sites 611

This code will appear in background at the end of 
form password field.
There is now way the web server/page can read this code
user may also choose a preferred color/bgcolor for the code

Here is how it should appear to user 

Scenario 1:  a new login for this browser

* Say he want to login first time at

* User see page like 
  login_presave.png  attachment 247257 [details]
  - if CapsLock is ON there is an indicator
  - there is a "save" Icon at the end of password field.

* User enter uid/password 

* Click password field's "save" Icon.
  (only if he wish to configure save PM or DVC)

* user see passoptions.png, attachment 247258 [details]

* configure options, if he need to save password 
  he do that too

* create DVC if he wish, say "7890" with red in yellow bgcolor

* and close passoption screen

* now the form field changes to accommodate his change
  see login_postsave.png attachment 247259 [details]

* and he submit the form
* for the case user did not used passoptions screen
  PM will also never prompt to save password.

Scenario 2: user return to login page after already saved password

* User see page like 
  login_postsave.png attachment 247259 [details]
  - DVC appear as "7890" with red in yellow bgcolor
  - user feel confident about the site, and proceed login

Scenario 3: user return to login page, after configuring DVC, but not saved password
* user see 
  - DVC appear as "7890" with red in yellow bgcolor
  - uid/Password is blank

Scenario 4: user return to login page, after not saving pwd or config DVC
* it appears as if Scenario 1

I have also attached a demo passoption screen 
see passoptions.xul attachment 247260 [details]
Severity: normal → enhancement
Caps lock stuff is bug 259059.  Please try to keep bugs focused on a single issue.
Depends on: 259059
I agree about the password options. The more options, the more able the user will be able to keep their passwords safe, as shown in bug 360493. I'm all for this enhancement, with all the hype going around about needed restrictions for PM.
First off, this bug is way too general and non-specific. In the future, as Jesse said in comment #6, please keep the scope of a bug as narrow as possible.

That said, the proposal mockup in attachment 247258 [details] isn't something I can ever see us implementing as a default. A popup window with a dozen things to select from is extremely confusing. This kind of thing might be useful as an extension for those who want the extra control, though.
Closed: 17 years ago
Resolution: --- → WONTFIX
Yikes.  Go google on "paralysis of choice" for many explanations of why this would be dead wrong as a default.
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.