Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Have you considered how hard it would be to create a password FORM input that couldn't be forged?


How about this: if focus is in a password field, then you get a visual signal somewhere in the chrome--e.g., the color of the location bar changes. Something that HTML+JS just can't do.


We can't train users to look for a lock icon to see if they're SSL encrypted, so I'm not optimistic that something as subtle as a URL bar change is going to guide them to secure password inputs.


Consider this, then: a secure password box is put at the very very bottom of the page in an obscure location. JS is used to make a fake one that is prominent. How will you deal with that?


Yes: trivial. Have the user type in an area outside the page.


So....let's just discard with web security altogether.


Hard problems don't become more tractable just because you get angry at them.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: