I think it would be benefical for the users security to have the password entry be restricted to an SSL secured area.

There are two options I see with this:

1) Make the homepage encrypted For instance, http://www.mint.com/ redirects to https://www.mint.com/ (Example: Citicards.com)

Although I know it might be overkill for new, non-users just browsing Mint.com's site, as the response time for SSL secured pages is slower.

2) Sepearate username and password entry. The user can enter his/her username on the front page in a form and then the password on a following page which would be a 100% SSL secured environment. (Example: US Bank)

Thank you. This is an immensley helpful site you have built here.

Password entry is restricted to the secure site.

Take a look at the HTML. The login form's action is https://wwws.mint.com/loginUserSubmit.xevent - a secure site. Your password is never sent to the non-SSLed server.

However, there is no authentication at the point of login in the form of a security certificate to prove the site the user is logging into is genuine.

That's a valid complaint, just not the one you listed in your original post.

This is a major flaw I see as well. I like the additional security my bank uses (even though its annoying sometimes :)): when I log into the website from a different computer, it verifies my identity using security questions setup initially. Mint should consider this in my opinion to make up for the lack of a secure login prompt.

Strongly agreed.

I've bookmarked: https://wwws.mint.com/login.event

ironically https://www.mint.com doesn't exist, and https://wwws.mint.com redirects to the unsecured http://www.mint.com

No biggie since I can just bookmark the login page. A good solution might simply be to have a link to login, instead of having the login form on the home page? (or securing the entire site, considering the nature of the site that might help business)

otherwise, awesome product!

So why can't the Mint homepage be HTTPS? I was a bit nervous at first logging in because you are always taught to look for the https:// It seems all my other bank web pages are. Isn't Mint supposed to use "Bank Level" security? How about one of those nice login pictures everyone is using nowadays too?

Why has the HTTPS default page been down? I can't get to https://mint.com or https://www.mint.com

I can get to http://wwws.mint.com/login.event though...

Never seen wwws used as a subdomain...

I agree that the default page (www.mint.com) should always send the user to an HTTPS link, otherwise there is a potential for the authentication information to be sent in clear text from the user's browser.

Strongly agreed.

I've bookmarked: https://wwws.mint.com/login.event

ironically https://www.mint.com doesn't exist, and https://wwws.mint.com redirects to the unsecured http://www.mint.com

No biggie since I can just bookmark the login page. A good solution might simply be to have a link to login, instead of having the login form on the home page? (or securing the entire site, considering the nature of the site that might help business)

otherwise, awesome product!

There are MANY site which handle authentication like this. Keeping bookmarks is a pain and not available everywhere. If you are worried that it's not the proper site, simple click the "GO" or "Login" button, the authentication will fail and you will be directed to the secure login page, where you may verify to your hearts content. I think a single click on a submit button is an easy work-around for this, and it's good practice for the hundreds of sites like this.

Brett

password must be done with every security purpose....





credit repair business (http://www.credit4profits.com/)

I agree that the default page (www.mint.com) should always send the user to an HTTPS link, otherwise there is a potential for the authentication information to be sent in clear text from the user's browser.

The SSL icon on the actual login is a good reassurance for the user, but from a technical standpoint it means absolutely nothing. I can SSL the login page, but your login will still be in the clear if the next page is not encrypted. As it is the actual login page *is* encrypted, so there's really no problem.

SSL puts a heavier strain on the servers, so it doesn't make any sense to encrypt their home page and other public pages just for the fun of it.

I would also like to see security questions as most banks do. If the site is displaying bank-level information, it should have a bank-level login setup. I do love the product, but this seems like it should be a high priority enhancement to the software.