and matt.. now you see the issue that i've been dealing with...
my bad for not clarifying it earlier.. the ssl aspect helps, but it still doesn't get to the issue of allowing someone to 'know' or be extremely certain, that the site they're on, is the 'right' site for the url that they're trying to obtain...
on a similar tip. if you lose your password.. what's a secure way to get the password. the current method (of course) is to send you a new password via email.. assuming that you know your username. but given the fact that email is text, and could easily be sniffed, is there another/better way.. (and let's not get into public/private encryption!!)
any ideas/thoughts...
-bruce
In my case, if it is really a place that I need security (bank), it is a phone call. My online bank will only allow 3 mistake logins within a short time and then it requires a phone call to get the access opened.
If I get a password by email, I change it on the first new login.
The odds of a single email sniffed is pretty low in my opinion. And if you are on the ball, you request the password when you will receive it and hopefully act before the sniffer can even go through the data.
This is an interesting thought. When one bank that we used changed from UNIX to Windows servers, the passwords became case insensitive and would not accept some characters. We raised this with the bank and they didn't seem to concerned.
-- Robin Laing
