The structure of the Verified by Visa (and its Mastercard equivalent, 3D-secure) means that an online seller will not be able to keep my credit card details and re-use them later (for nefarious purposes) as I only provide my password directly to Visa NOT to the seller themselves.

Great, I thought!  Until I noticed that the site that was asking me to setup my password (and I would presumably have to re-enter my password at a later date) did not identify itself in any meaningful way. Check it out for yourself https://www.securesuite.co.uk.  Notice that the ‘site owner’ does not appear in the Firefox/MSIE7 location bar and even if you examine the SSL certificate it seems to be registered to a company called CYOTA Inc. The only mention of ‘Verified by Visa’ is buried in the Organisational Unit entry in the certificate.

Now we can obviously google our way to finding out that CYOTA Inc are owned by RSA who probably provide the systems for Verified by Visa, but really…

The whole process is predicated on the buyer knowing that they are providing their password to Visa and no-one else so I find it incredible that Visa, CYOTA and the issuing banks are not addressing the confusion they are causing.

Worse still they aren’t just confusing the public about Verified by Visa, they are also positively ENCOURAGING user to ignore the warning signs of phishing attacks.

After attempting to import my Firefox password list only to told that I had exceeded my allocated number of of entries by -97 (yes, minus 97).  Hmmm!  a few emails back and forth to the (very helpful) Passpack support team, plus the dicovery that I have third party cookies turned off on Firefox (forgot that) and I got it up and running.

So do I like it?  Well it’s exactly what I wanted, but not actually what I need.  You see it forces me to be a bit too secure.  In order to login to a website without remembering the password, I have to:

1. login to Passpack – no problem it supports openID (and I can have ‘remember me’ turned on my computers)
2. perform the humanity test (a nice one actually – just click the black square)
3. provide my packing key – which must be a fairly long and safe key.  This is slightly annoying as I am an incredibly bad typer and have trouble typing more than 2 keys in the right order at the best of times.  So trying to get a 20 character packing key right when I can’t see what I’ve typed takes numerous tries.
4. locate the appropriate entry for the site I wish to visit.
5. click the link to be forwarded to the site
6. click the ‘Passpack it!’ bookmarklet (if I have the bookmark tool bat turned on – I don’t normally)
7. and there, Robert’s your mother’s live-in-lover.

Now I know that this would probably be a lot easier if the domains in my password file (not sure why the don’t), but it’s all such a bloody palaver.  Compare that to the Foxmarks experience:

1. I go to the site I want to use
2. Firefox prefills my details

Okay so there is a downside.

• I can’t store any data, just passwords
• I can’t use other browsers
• I can’t use a public access (or a friends) computer

Well, I’m thinking that I’ll stick a copy of Firefox passwords on my Truecrypt encrypted USB key to cover most of those issues.  Sorry Passpack – but you’re just too secure for me!

Now if only Foxmarks would support openID, I’d be have just one password to remember.  I’m not sure what I’m going to do about my accessing on my iPhone though!  Any ideas?

Any organisation provides me with a ‘secret’ number or a passphrase (or restricts what passphrase I can use) that I have to remember to login is effectively putting my data at risk by forcing me to write that passphrase down.  I can remember pin for my debit card and another one for my credit card, the password for my email is easy as I use it everyday), being asked to remember 2 more numbers (not of my choosing for an online account I use once every 6 months… Why would I?  How could I?  So I write it down… and remove any semblance of security!

If they can’t pick-up on the OpenID movement couldn’t they at least have the decency to let me choose my own damn password?