It's all spinning wheels and self-doubt until the first pot of coffee.

Fighting phishing with counter-passwords

I just had a nutty idea to use against phishing scams:

When I visit a financial site, it generally requires me to enter a username and a password or PIN number in order to recognize me.

What if the sites I deal with included some personalized passphrase or shibboleth in every communication sent to me? That way, I'd recognize that that message came from some source with which I'd shared that code or mark, and that it wasn't a spoofed mass-mailing from an outside phisher. It'd be like them authenticating with my brain.

For example, say that my bank included the phrase "Oh, and say hello to Francis for me" in every email I received. Or maybe they chose from a set of 10 literary quotes pre-selected by me.

Now, assuming that financial sites didn't regularly expose their counter-password database, this might just work. Too complicated? Also, I don't think counter-password is quite the right phrase.

Archived Comments

  • How about "lightweight credentials"?

  • The credit union I used in Madison (uwcu.org) does this. I gave their system an incredibly silly but highly memorable phrase from a college roleplaying campaign, and they include it in the email they send me.

    Which never fails to make me grin. Added bonus.

  • Actually that's already being done by some banks in a slightly different way. Schneier was writing on hos blog about it a while back. Here is an example of it:


  • Ummm why fool around with stenography when we've got such an abundance of public key schemes? And no I don't think 'lightweight' or 'too hard for aunt minnie' count as reasonable answers. If it's worth doing it's worth doing well.

  • Psycho: The name's Francis Sawyer, but everybody calls me Psycho. Any of you guys call me Francis, and I'll kill you.

    Leon: Ooooooh.

    Psycho: You just made the list, buddy. Also, I don't like no one touching my stuff. So just keep your meathooks off. If I catch any of you guys in my stuff, I'll kill you. And I don't like nobody touching me. Any of you homos touch me, and I'll kill you.

    Sergeant Hulka: Lighten up, Francis. I notice that the Bank of America website calls it a passmark. I like that.

  • This has the Simon Says problem: It requires users to notice when something is not present. For the same reason that users don't notice the absense of the SSL "lock" icon, they won't notice the absence of the counter-password or passmark or whatever -- at least not enough of the time.

  • Wouldn't it be simpler to generate a custom From address which you could add to your AddressBook/WhiteList? Of course, you have to worry about having multiple computers with unsynched WhiteLists...

    Then of course there's the custom RSS feed to get you to subscribe to...

  • How about entering a serious of gibberish into the phisher's database? This way, when they try out their database the institution (say paypal.com) can notice that there are many failed logins from them? Or even automate it (amavis flags phishing attempts)

  • gads, someone who knows what "shibboleth" means

  • Several sites I deal with already do something along these lines. For example, many banks and credit card companies will start the messages with something like "This message is in regard to your account ending with 9876". And some other sites will include your full name and/or login name. Which may or may not be useful, depending on how public that information is on that particular site (or in general).