The UI problem is that there’s no easy way to communicate what’s going on to the user. I thought of adding some text to the password dialog along the lines of “The longer you’re prepared to wait before clicking ‘OK’, the string the protection will be. Note that this delay will occur every time you enter your master password. Current protection: 1 day to break”, but this is just plain ugly, there’s too much for the user to absorb, and even this lengthy explanation won’t be enough for most users. Furthermore, the more explanatory text you add, the longer people will be delayed before they click OK, creating an irritating problem whenever they enter their password in the future. In the worst case this delay time is unbounded, for example if the phone rings before they can click OK, or (a more common case) they pause to write the password on a post-it note to stick to the side of their monitor before clicking OK. It’s just too awkward and un-controlled.

A second problem is that most (all?) crypto APIs don’t give you this level of control over password hashing unless you’re working at an extremely low level. Most just follow the functionality of standard password-processing mechanisms like PBKDF2, where you input a password, salt, and iteration count, and wait until it spits out the result. You can’t interrupt this at an arbitrary point when you get bored.

After thinking about this a bit I figured a more workable solution woul be to provide a slider from 0…10s (default = 1s) and the text “To strengthen your password protection, you can add a processing delay to the password each time you enter it. The longer the delay, the stronger the protection”. This puts the user in direct control, and makes explicit what’s happening, rather than overloading the ‘OK’ button with unexpected functionality.

Is Passpet still an idea or have you moved to active project? I have long recommended Password Safe, in part because I have confidence in the dev team, and it is unaffected by browser changes. Now that Fx has matured I am willing to reconsider.

I don’t bring any coding skills to the table but I’m interested and would enjoy participating.

You can use the same “pet icon” trick to try to make the in-page UI hard to spoof, but i think it would be weaker than a pet icon in the toolbar. I think some users would learn to click on any in-page button next to a “Password:” label regardless of its icon, whereas they would be less likely to click on a toolbar button with the wrong icon.

That is, from a DOM perspective, could passpet replace the default password input widget?

. The amount of work required for client-side PKI is outrageously high, so high in fact that almost no-one even does it (or those that do drop it pretty quickly). Look at the research done at Xerox PARC, where a bunch of people with PhDs in computer science rated client-side PKI as the hardest computer task they’d ever been asked to accomplish, taking on average over two hours even though they had step-by-step instructions with screenshots to guide them. When informed of this, the manufacturers of the gear they were using were baffled that anyone would even try and do this. There’s a reason why virtually no-one uses client-side PKI in practice…

(BTW Ping, why do I need to have Javascript enabled just to use your blog? Mumble mutter…).

The amount of setup work for the client is pretty simple, and only needs to be done once per bank account per PC.

So if you use a desktop computer, and an emergency happens while you’re away from home, there’s no way you can access your accounts? I’m not so sure this is going to fly.

SPF and DKIM are also useful things that aren’t being deployed by banks or other phishing targets, and would cut out a lot of the phish mail because ISPs can reject mail sent from inappropriate IP addresses without the recipient having to do any work. That won’t stop phishers from registering domains that look cleverly similar to real banks, but again it’s at least a start.

What I see as ideal is a progression of historical information: having seen a cert before, how many times, having bookmarked a cert, having tagged it, and having labelled it with a petname are all progressions in better information that can be displayed to the user. A great tool would present all these to the user, rather than try and choose one or the other as “better” in some sense. (Of course, that leaves aside implementation details…)

USB keys are a good approach, as long as you have yours with you. One nice thing about hashing is that the only thing you need, your master password, is in your head. People are comfortable with that model. Now, if we could just make the password calculator ubitquitous …

Bottom line: Put password wallets, such as RoboForm, and hashers into the market. My guess is that there’s room for both.

Lest anyone be curious, I have no stake in Roboform, but I have used it for a few years and found it very effective. In fact the original purpose, form-filling, was what drew me to it initially.`