Re: Two more thoughts about credentials download protocols

[Stephen Farrell <stephen.farrell@xxxxxxxxxxxx>]

Hi Radia,

> The second thought is about the issue someone brought up about how if
> you get out of sync with typing name and password, you could wind up
> sending your password over the wire in the clear. Charlie suggested
> a low-tech fix to that, which is that the password be required to
> contain a character which is illegal in a name. For instance, if
> "=" isn't legal in a name, and the user's
> password is "mypassword", the user could be required to type ==mypassword.
> And this might make a good user interface for putting in a hint. If
> the hint is, say, "J", then the user could either type
> =J=mypassword (which includes the hint), or ==mypassword (no hint)

First, I do kind of like the idea, however, I'm not sure that 
its easy to enforce, given I18N. Also if == is always prepended
then s/w will likely be developed that automatically enters 
that, which defeats the purpose. Finally its not that user friendly
to reqiure additional crud to be typed (even if its just a few 
characters).

I'd be interested in what others think about the requirement and
especially other ideas for (possibly partly) solving the problem.

Stephen.

-- 
____________________________________________________________
Stephen Farrell         				   
Baltimore Technologies,   tel: (direct line) +353 1 881 6716
39 Parkgate Street,                     fax: +353 1 881 7000
Dublin 8.                mailto:stephen.farrell@xxxxxxxxxxxx
Ireland                             http://www.baltimore.com