Roy Schestowitz wrote:
On-line banks appear to prefer variantions which take random permutations of
subsets from the password string. If all is on top of HTTPS, keyboard spying
must be the concern.
The answer is clear - two-factor authentication.
It doesn't matter if they keylog me - well, it does because they see
what I do, but they can't use that information to gain access a second
time. They would have to steal my token and somehow learn its activation
code for this.
American banks seem to want to be cheap in this respect though :)
( Some banks just distribute loads of one-time pads )
I think there's a conference of security in the banking industry on at
the moment - might poke my nose in if they have anything on the topic.