Paid Advertising
web application security lab

Passmark Works Less Than 10% of the Time

I laughed out loud when a friend of mine sent me this link on a study by Harvard and MIT on the effectiveness of sitekey. I really want to yell from the rooftops, “I told you so.” I’ve looked into that technology a dozen times, in a dozen different incarnations and each time I just shake my head. It’s just not effective. A) People don’t understand how it works and b) if the image doesn’t show up on the page, users don’t get that they are on a malicious website - at best they think Sitekey is just broken.

This we can file in the “users cannot be trained” category. You cannot expect users to know what a good site is verses a bad site. It doesn’t work (at least in 9 out of 10 people). I would have guessed slightly more people would have figured it out, but even if it were 7 out of 10 people, that’s barely worth wasting your time and money on - not to mention the bad press that comes from rolling out flawed security measures. No, it’s not up to the consumers to protect themselves. That’s OUR jobs. We need to take it out of the user’s hands and bring security to bear to protect them because as we can see, users cannot be trained to protect themselves.

5 Responses to “Passmark Works Less Than 10% of the Time”

  1. kuza55 Says:

    Mmm, I saw that as well, but I haven’t been able to find any exact details about the protection in terms of how it actually works from a technical perspective. Does it show the user the image before they log on? In which case, how do they know which user it is? Does the user enter their username/account number? Or is there a persistent cookie which tells the site what user it is? In which case it only works on computers you’ve used before.

    But seriously, if the user isn’t going to protect their credentials there’s not much we can do, its like users who fall for 419 scams - there’s not much we can do from a technical perspective because they’re willingly sending their money (or credentials) to other people.

    The IE7 initiative to have the special SSL certs (I can’t remember what they’re called right now - Extended Validation or something?) which cause the URL bar to go green might work, but there are issues there over who you give certs to, and people saying that being a legal entity in no way proves anything and that sophisticated criminals will only benefit from this - but we’ll see.

  2. mgroves Says:

    Is this the thing where you choose a picture and/or phrase that’s supposed to appear before logging in?

  3. Spider Says:

    Yeah. I saw that. I think the days of banking being accessible through a general purpose web browser are drawing to a close. I think it might be a better idea to just write a custom app with public key two phase authentications built in. That way , it should be even less likely for people to be tricked by clicking on a email link and less important for them to keep the password secure. its nice that I *could* fly to Poland and still have access to my bank account from any cybercafe, but it might be a better idea if that wasn’t possible.

  4. H.E. Sum Says:

    A bigger problem with anti-phishing measures like SiteKey is that they are fundametally flawed. Take Bank of America for example:

    Even though you are presented with a challenge question before your SiteKey is displayed, this step can just be incorporated in a fake login page. The phishing site can then take your userid, answer to the challenge question and make a serverside request to It’ll strip your SiteKey from that request and display it in a fake password entry page.

    The whole SiteKey “solution” just adds a little bit of work for the phisher and a whole lot of false security for the user.

  5. RSnake Says:

    Amen! The MITM aspect of almost all forms of “strong” auth - including tokens - is only a minor setback for an attacker. If I were to give you a firewall that only worked as long as you didn’t precede your attack with a certain known string you’d laugh. I don’t get why people think this is helping - and clearly it’s not even in the most obvious cases.