[thelist] High Security Password

Fred Jones fredthejonester at gmail.com
Thu Dec 6 09:15:09 CST 2007

> Yes, this defeats the keylogger attack.
> ING has had this for a while.

Yep, that's my bank. :)

 > I have wondered whether it is still
> possible to get the contents of that text box, because presumably the
> content of the box is your pin and not the letter-translated value.

Not correct.

> However, it seems odd that they wouldn't go the next step and store
> the translation algorithm in session and have the keypad output the
> translated value of your PIN into the box (which would then be
> translated back to your numeric PIN on the server).

The contents of the box are the letters, not the numbers--you can type 
the letters from the keyboard if you want, instead of clicking on the 
keypad--no digits are sent, just alpha.


More information about the thelist mailing list