how can you verify that the site you get is not a fake?
Robin Laing
Robin.Laing at drdc-rddc.gc.ca
Mon Jun 6 15:28:07 UTC 2005
bruce wrote:
> and matt.. now you see the issue that i've been dealing with...
>
> my bad for not clarifying it earlier.. the ssl aspect helps, but it still
> doesn't get to the issue of allowing someone to 'know' or be extremely
> certain, that the site they're on, is the 'right' site for the url that
> they're trying to obtain...
>
> on a similar tip. if you lose your password.. what's a secure way to get the
> password. the current method (of course) is to send you a new password via
> email.. assuming that you know your username. but given the fact that email
> is text, and could easily be sniffed, is there another/better way.. (and
> let's not get into public/private encryption!!)
>
> any ideas/thoughts...
>
> -bruce
In my case, if it is really a place that I need security (bank), it is
a phone call. My online bank will only allow 3 mistake logins within
a short time and then it requires a phone call to get the access opened.
If I get a password by email, I change it on the first new login.
The odds of a single email sniffed is pretty low in my opinion. And
if you are on the ball, you request the password when you will receive
it and hopefully act before the sniffer can even go through the data.
This is an interesting thought. When one bank that we used changed
from UNIX to Windows servers, the passwords became case insensitive
and would not accept some characters. We raised this with the bank
and they didn't seem to concerned.
--
Robin Laing
More information about the users
mailing list