views:

109

answers:

4

Comcast has changed their login process so it happens in two steps. Instead of two input boxes for username and password, you submit your username first. Then on a second page you enter your password.

https://www.comcast.com/Customers/CustomerCentral.cspx

Due to some recent security improvements, we now require you to enter your user name and password in two separate steps.

What could the security improvement possibly be in this system? If anything it seems less secure since you can confirm the existence of a username independently from it's password.

Any ideas on what they're accomplishing here?

A: 

Simply so when you login to more secure areas of my account, you need to reenter your password instead of use the remember-me function, so if someone gets on the computer, all they can do is access email from a normal session. Yahoo does this also.

CodeJoust
A: 

Not sure if Comcast is doing the same thing, but I know a lot of bank websites I use lately started doing the following:

  • Prompt you for your username
  • Look up an image and a string that you specified at your account creation.
  • Display that image + string along with the password box.

The stated goal is so that, if you as a user notice that the image and string don't match what you picked when you created the account, you get suspicious and don't enter your password.

What is the benefit here? I don't see any either, as an attacker's script can just look up the image and string from the real login page. Maybe it makes dumb people feel more safe.

asveikau
what is the banking or the said company going to get by making dumb people feel more safe? wouldn't that be cheating?
Murali VP
maybe they feel people will not use it if they aren't convinced it has security features.
asveikau
It is probably the other way round, make smart people feel dumb making them wonder there is some hidden security feature that they are dumb to not understand.
Murali VP
A: 

It is strange, on the password page they require your email and password, not the user name.

The user name is not a secret, as you use it in your mail address probably....

They still allow you to "stay signed in" ...

So Actually, I don't think there is a real security benefit

You can get directly to the 2nd login page if you bookmark it....

Dani
+3  A: 

My guess would be that they are targetting specific phishing/keylogging software which is "used to" finding all the login information on the same page. It's making the job of some malicious software a little harder.

If you use the "automatically fill in my forms" feature of many browsers, this will also separate the login information into two separate entries in the browser's data store, again making things just a little harder for any software which might try to exploit this feature.

Carl Smotricz