Why do banks separate username/password?

Discussion in 'Web Design and Development' started by Aperture, Jul 2, 2009.

  1. Aperture macrumors 68000

    Aperture

    Joined:
    Mar 19, 2006
    Location:
    PA
    #1
    If you go to any major online banking site, you'll probably notice that the login separates the username & password onto two separate pages. Why do this? What is the security advantage?
     
  2. MacDawg macrumors P6

    MacDawg

    Joined:
    Mar 20, 2004
    Location:
    "Between the Hedges"
    #2
    Neither of my 2 banks do this

    Woof, Woof - Dawg [​IMG]
     
  3. slpdLoad macrumors 6502a

    slpdLoad

    Joined:
    Jun 10, 2009
    #3
    Mine does this. Also, when I'm at the password stage, there's a picture and a phrase that I added that is unique to my account. Makes it much harder to spoof the site that way, although I'm not sure about the multiple page thing.
     
  4. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #4
    Ditto with my bank. The separate page thing is to make it a little harder to spoof the session, as well as giving the system a chance to find the image associated with your account so it can be shown to you.
     
  5. NoNameBrand macrumors 6502

    Joined:
    Nov 17, 2005
    Location:
    Halifax, Canada
    #5
    Wait. How does showing you stuff you've uploaded after you've given one part of the authentication help stop spoofing?

    My spoof site looks like your bank site. You enter your username and click the button to go to the next page. My spoofing site goes to your bank's site and performs the same operation, getting the content you provided to the bank, and then showing them to you on the next page. Spoof continues unhindered.

    Or am I missing something?
     
  6. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #6
    No uploading involved. As I said, it makes it harder, not stops it. I'm sure they do other stuff on that back end as well to help detect spoofing. Also, you're talking about a phishing site, whereas the spoofing I'm referring to involves the session variable on the server.
     

Share This Page