Tuesday, April 29, 2008

Can Browser's Password Manager Be Used As Sign In Seal?

Almost every user uses browser's password manager these days. You visit a site, enter password and ask your browser to remember it. The password manager is supposed to fill out user name and the password automatically when you go to the site again.

This can be used to avoid phishing attacks. The first time you visit any domain, make sure that you have typed in the url correctly in the address bar. Save your password. (You need not store the actual password, just make up a user name that only you would know and put any password). Now when you visit the site next time, you should expect to see the user name that you had already saved. Then it means that the page actually came from the right domain.

E.g. visit mail.google.com, enter user name as bla-google password as anything and save it. Next time you will see bla-google automatically filled only if the page originated from that domain. Effectively creating a sign-in seal.

What are the limitations? Well, it doesn't work across browsers unless you do this in all the browsers. Auto complete setting may cause trouble. This may not work on sub domains (If the site ran something like Yahoo! sign in seal on other hand, it may use same seal on its subdomains).

Any thoughts?