page with two passwords

[Grnadpa]

Here's an out-of-the-box thought. What if I require more than one password on my sign-in page? Would that confound the phishing bots? (If so, then I could even allow the client to enter relatively easily remembered passwords).

grNadpa

[spikeZ]

Isn't 2 passwords really just the same as username + password combination or do you mean that users have to remember 3 things?!

[Grnadpa]

Isn't 2 passwords really just the same as username + password combination or do you mean that users have to remember 3 things?!

My point is that the malicious software phising bots expect just one password in addition to the username. Hence the bizarre requirements for developing passwords (e.g. 8 characters, uppercase, lower case, number, special characters) as protection.

Adding a second password (or as you put it "remember 3 things") I'm thinking would defeat these bots because, even it it guesses one of the passwords, it's not expecting a second one -- and therefore will fail to break into the site.

As such, the passwords need not be so complex.

grNadpa

[logic_earth]

Afraid it would just making things more complicated for your users. Your users alone are responsible for creating strong passwords and managing them. Its not yours. The only thing you have to do is store them in a secure matter. And those bots could easily adapt to the change anyways.

[paul_wilkins]

Adding a second password (or as you put it "remember 3 things") I'm thinking would defeat these bots because, even it it guesses one of the passwords, it's not expecting a second one -- and therefore will fail to break into the site.

As such, the passwords need not be so complex.

Sadly, exactly the opposite thing will happen. Your strange and odd security measures will attract the attention of all sorts, resulting in special attention being paid to your site from groups who attempt to automate their way around such things.

Your best bet to avoid notice is to apply the same best practice techniques that others use. Those are the most reliably known ways to reman secure without annoying your uses too much.

[shamshadali]

Nothing is impossible for a malicious software trying to detect a password. Even if you put something new, you would rather attract the attention of programmers as you are the founder of this innovation. They would go to far ends just to crack this challenge! In regards to the security, if you use md5 encryption, and if you instruct your users to create a difficult password with a combination of symbols, letters and numbers, with NO word from the english dictionary and no numbers in a proper sequence, there is no way a malware can decrypt it. This is because the encrypted code of every password keeps changing and only your server will be aware of the combination. Not even you!

[webcosmo]

Too complicated, some people wouldn`t bother remembering those passwords. Just use a good captcha along with the password, like skrill.com does and you should be fine. But no way 2 passwords.