Any creative solution to make it harder for hackers to copy your IdP login page?

Martin Lunze martin.lunze at
Tue Mar 27 02:24:10 EDT 2018

With the way to enter firstly the name and later the password it could 
be also possible to bruteforce / guess usernames.
In my opinion not a good idea!

With nice regards

Am 26.03.2018 um 23:23 schrieb Cantor, Scott:
>> My credit union discourages phishing by prompting for the username on one
>> page ( and the password on another (
>> The password page is customized based on the username. When I set up my
>> CU account (years ago), I had to choose a Security Phrase and a Security
>> Picture. These always appear on my custom password page.
> The problem is screen scraping, it's really not defeatable if you don't bother to check the bar. There are tricks like the phrase or picture to force one to actually screen scrape (anti-XSRF stuff is another), but if somebody is willing to scrape it in real time there isn't much that will work, and it defeats MFA for at least that transaction. You just throw and error back to the user to make them think it failed, and meanwhile off you go with your sesson.
> The fix of course is token binding.
> -- Scott

Martin Lunze

Technische Universität Dresden
Zentrum für Informationsdienste und Hochleistungsrechnen (ZIH)
Operative Prozesse und Systeme (OPS)
01062 Dresden

Tel.: +49 (351) 463-35881
E-Mail: martin.lunze at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5677 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the users mailing list