Decius wrote: ] People get into your account because they guess your password, ] or because you leave yourself logged in and then your friends ] come over and use your computer, or because you use the same ] password all over the place. There isn't much that I can do ] about these attacks as a site manager. I need YOU to use ] client certificates to login to my site, and you need to keep ] your certificate on a smart card or ibutton that stays on ] your person. ] ] Is anyone using technology like this? Would you want to use it ] to access MemeStreams if it was available? What do you think? i agree with D. It's an education problem (or a laziness problem) more than anything, letting the browser remember your passwords so you don't have to type them in all the time (especially when the differ, like all of mine do). I do this, with non-critical sites (i.e. when $$$ isn't involved), so you could walk up to my laptop (or my work computer) and post as me all day. I don't think a lot is gonna change until the infrastructure exists that Decius suggests. A way to get there in the short term, without specialized hardware (card reader, iButton reader) is to store certificates on a usb pendrive device, which is becoming more ubiquitous anyhow. At least, it's a step in that direction. I'd like to move towards that myself, allowing the usb device, like the key for my car, to authenticate me everywhere, and ideally handle automatic release of as much personal data as i authorize, on an object-by-object basis. If widely adopted, this also solves the issue of retail sites being hacked for your credit card number. If my device can handle the details of telling amazon my info when i authorize it to, there's no longer any need for them to store my credit card number locally. RE: SecurityFocus HOME News: Defenses lacking at social network sites |