> This would require the bank to serve its home page from https, including a redirect from http for every visitor
And that's a bad idea why exactly?...
> Setting all login ID's to users' email addresses: This just removes more entropy from the login security process, since I now know that logins come from the set of valid email addresses.
Currently the username in my bank is a 9-digit number and they've got "over 30 million customers" I'm pretty sure I can guess a valid username in under 10 tries ;) Meanwhile, emails are almost an unlimited search space. The only thing that changes is that you're more likely to know who does the email belong to.
And that's a bad idea why exactly?...
> Setting all login ID's to users' email addresses: This just removes more entropy from the login security process, since I now know that logins come from the set of valid email addresses.
Currently the username in my bank is a 9-digit number and they've got "over 30 million customers" I'm pretty sure I can guess a valid username in under 10 tries ;) Meanwhile, emails are almost an unlimited search space. The only thing that changes is that you're more likely to know who does the email belong to.